Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojandownloader.xs


  • Please log in to reply
19 replies to this topic

#1 mel9589

mel9589

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 31 October 2007 - 04:31 PM

Hi I am infected with trojandownloader.XS . I am going to post my hijack this log and that other thing that he other poster about this was required to do. Please Help!!

BC AdBot (Login to Remove)

 


#2 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 31 October 2007 - 04:38 PM

SmitFraudFix v2.238

Scan done at 16:40:34.91, Wed 10/31/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Save\Save.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\msole32.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"DSPath"="LDAP://CN=User,cn={CCDD4956-9B4D-470C-9A03-E9C97E683483},cn=policies,cn=system,DC=NBPS,DC=NBPS,DC=ORG"
"DSPath"="LDAP://CN=User,cn={071A7905-7831-4283-AC77-AD00C8EE8DD2},cn=policies,cn=system,DC=NBPS,DC=NBPS,DC=ORG"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 128.227.47.6
DNS Server Search Order: 128.227.47.7

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 205.188.146.145

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer=205.188.146.145
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer=205.188.146.145
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer=205.188.146.145
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#3 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 31 October 2007 - 04:44 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:44 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Save\Save.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPres.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPres.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPres.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2006524105810_mcinfo.exe /insfin
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2006524105810_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193677725378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193678165140
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbabeld...zylomplayer.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CAB
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...d84c831d43d35df
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.com/ocx/VUploaderProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\Software\..\Telephony: DomainName = NBPS.NBPS.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13645 bytes

#4 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 31 October 2007 - 05:06 PM

My logs after doing SmitFraudFix in safe mode. Oh and I also did the hostsxpert thing before hand.
SmitFraduFix Rapport
SmitFraudFix v2.238

Scan done at 16:53:42.77, Wed 10/31/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\msole32.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7B907E9A-3F28-467B-89B0-96F9A0D8C9FC}: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer=205.188.146.145
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=128.227.47.6 128.227.47.7


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"DSPath"="LDAP://CN=User,cn={CCDD4956-9B4D-470C-9A03-E9C97E683483},cn=policies,cn=system,DC=NBPS,DC=NBPS,DC=ORG"
"DSPath"="LDAP://CN=User,cn={071A7905-7831-4283-AC77-AD00C8EE8DD2},cn=policies,cn=system,DC=NBPS,DC=NBPS,DC=ORG"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





HIJACK THIS log after rebooting in normal mode
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:59 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Save\Save.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPres.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPres.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPres.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2006524105810_mcinfo.exe /insfin
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2006524105810_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193677725378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193678165140
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbabeld...zylomplayer.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CAB
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...d84c831d43d35df
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.com/ocx/VUploaderProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\Software\..\Telephony: DomainName = NBPS.NBPS.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: windnl32 - C:\WINDOWS\SYSTEM32\windnl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13896 bytes

#5 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 31 October 2007 - 07:01 PM

mel9589

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#6 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 31 October 2007 - 08:43 PM

okay, here it is...
ComboFix 07-11-01.1 - Administrator 2007-10-31 20:27:20.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EOT3VN67\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Log\2007 Oct 29 - 07_23_01 PM_704.log
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Log\2007 Oct 29 - 07_23_08 PM_153.log
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Log\2007 Oct 30 - 06_41_41 AM_140.log
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\rs.dat
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\CustomScan.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\IgnoreList.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\ScanInfo.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\ScanResults.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\SelectedFolders.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\Settings.stg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\myglobalsearch
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\dat.txt
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drvkatr.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-10-31 20:34 <DIR> d-------- C:\Program Files\akl
2007-10-31 20:33 <DIR> d-------- C:\Program Files\3721
2007-10-31 20:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 18:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-10-31 16:54 15,104 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 16:36 4,850 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-31 12:31 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 12:09 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 11:48 123,910 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-10-31 11:48 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-30 06:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 20:16 <DIR> d-------- C:\Downloads
2007-10-29 20:12 <DIR> d-------- C:\Kaspersky
2007-10-29 11:33 <DIR> d-------- C:\temp\HP_WebRelease
2007-10-29 11:33 <DIR> d-------- C:\temp
2007-10-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-28 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 15:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-27 22:54 <DIR> d-------- C:\SRN Micro
2007-10-26 19:28 293,888 --a------ C:\WINDOWS\ocgrep.dll
2007-10-26 19:28 270,336 --a------ C:\WINDOWS\bxsbang.dll
2007-10-26 19:28 101,888 --a------ C:\WINDOWS\kthemup.exe
2007-10-24 18:55 <DIR> d-------- C:\Program Files\Presale
2007-10-20 11:58 <DIR> d-------- C:\Graphs
2007-10-20 11:46 13,312 --a------ C:\WINDOWS\system32\drivers\nnrnstdi.sys
2007-10-20 11:46 8,832 --a------ C:\WINDOWS\system32\drivers\km_filter.sys
2007-10-20 11:43 <DIR> d-------- C:\Program Files\NetRatingsNetSight
2007-10-20 11:43 49,152 --a------ C:\WINDOWS\nswatchdog.exe
2007-10-19 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Syntrillium
2007-10-19 16:48 <DIR> d-------- C:\Program Files\coolpro2
2007-10-18 18:37 713 --ah----- C:\os070469.bin
2007-10-18 18:22 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-10-15 11:46 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2007-10-15 11:46 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2007-10-15 11:45 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-10-15 11:44 <DIR> d-------- C:\Program Files\Replay Converter
2007-10-15 11:30 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-15 11:30 1,544,542 --a------ C:\WINDOWS\system32\avcodec.dll
2007-10-15 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-10-07 13:02 <DIR> d-------- C:\WINDOWS\Cache
2007-10-07 13:02 <DIR> d-------- C:\Program Files\Coupons
2007-10-07 13:02 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-10-06 11:43 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-06 11:43 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-06 11:43 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-06 11:43 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-06 11:43 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 17:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-05 17:20 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\SystemDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 01:34 27,904 ----a-w C:\WINDOWS\wml.exe
2007-11-01 01:34 18,432 ----a-w C:\WINDOWS\vxddsk.exe
2007-11-01 01:34 15,360 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-11-01 01:34 15,104 ----a-w C:\WINDOWS\system32\wml.exe
2007-11-01 01:33 26,880 ----a-w C:\WINDOWS\7search.dll
2007-11-01 01:33 21,760 ----a-w C:\WINDOWS\pbar.dll
2007-11-01 01:33 15,104 ----a-w C:\WINDOWS\flt.dll
2007-11-01 01:32 9,472 ----a-w C:\WINDOWS\764.exe
2007-11-01 00:51 --------- d-----w C:\Program Files\Save
2007-10-28 00:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-27 23:02 --------- d-----w C:\Program Files\Java
2007-10-23 14:37 --------- d-----w C:\Program Files\Winamp
2007-10-18 23:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 03:04 --------- d-----w C:\Program Files\America Online 9.0
2007-10-15 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 14:17 --------- d-----w C:\Program Files\PCFriendly
2007-10-06 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-03 01:36 53,648 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-18 22:56 --------- d-----w C:\Program Files\Musicnotes
2007-09-18 19:10 --------- d-----w C:\Program Files\iTunes
2007-09-18 19:10 --------- d-----w C:\Program Files\iPod
2007-09-18 19:04 --------- d-----w C:\Program Files\Apple Software Update
2007-09-18 19:03 --------- d-----w C:\Program Files\QuickTime
2007-09-16 14:48 --------- d-----w C:\Program Files\AIM6
2007-09-16 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-16 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-06 13:08 --------- d-----w C:\Documents and Settings\pattersonm\Application Data\HP
2005-10-18 12:18 44,632 ----a-w C:\Documents and Settings\pattersonm\Application Data\GDIPFONTCACHEV1.DAT
2007-03-09 07:12:32 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{123b04bd-7c85-472a-a103-33eb44412d70}]
2007-10-17 09:41 1498136 --a------ C:\Program Files\Presale\tbPres.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{123b04bd-7c85-472a-a103-33eb44412d70}"= C:\Program Files\Presale\tbPres.dll [2007-10-17 09:41 1498136]

[HKEY_CLASSES_ROOT\CLSID\{123b04bd-7c85-472a-a103-33eb44412d70}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{123B04BD-7C85-472A-A103-33EB44412D70}"= C:\Program Files\Presale\tbPres.dll [2007-10-17 09:41 1498136]

[HKEY_CLASSES_ROOT\CLSID\{123B04BD-7C85-472A-A103-33EB44412D70}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe" [2006-09-25 19:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 20:52]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-09-26 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 00:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 14:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2007-06-08 09:55]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"="C:\Program Files\Save\Save.exe" [2006-08-25 13:45]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-18 18:21:25]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-09-26 13:49:10]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-09-26 13:43:13]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-1309\Scripts\Logon\0\0]
"Script"=verclsid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-1309\Scripts\Logon\1\0]
"Script"=\\NBPS.NBPS.ORG\SysVol\NBPS.NBPS.ORG\scripts\audit_12.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-2725\Scripts\Logon\0\0]
"Script"=verclsid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-2725\Scripts\Logon\1\0]
"Script"=\\NBPS.NBPS.ORG\SysVol\NBPS.NBPS.ORG\scripts\audit_12.vbs


R1 nnrnstdi;nnrnstdi;C:\WINDOWS\system32\drivers\nnrnstdi.sys
R3 km_filter;km_filter;C:\WINDOWS\system32\drivers\km_filter.sys
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{522d07e8-af9e-11db-a120-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 13:26:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 20:38:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-31 20:40:05 - machine was rebooted
.
--- E O F ---

#7 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 07:44 AM

mel9589

You are running Combofix from a temporary download location.

Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EOT3VN67\ComboFix[1].exe

In order for the tool to be effective It must be saved directly to the Desktop.

1. So move Combofix to your Desktop. Then re run Combofix and post a fresh Combofix log.

2. You have a suspicious file I would like to look at

Please go HERE

Put Your Name, and BleepingComputer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the fileC:\Program Files\Presale\tbPres.dll
In the comments tell them that I asked you to upload the file
Then Select Send File.
Posted Image
Microsoft MVP - Windows Security

#8 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 08:02 AM

OKay I redid the combofix but from my desktop this time.
Here it is...

ComboFix 07-11-01.1 - Administrator 2007-11-01 7:58:15.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\akl

.
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-10-31 20:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 18:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-10-31 16:54 15,104 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 16:36 4,850 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-31 12:31 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 12:09 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 11:48 123,910 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-10-31 11:48 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-30 06:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 20:16 <DIR> d-------- C:\Downloads
2007-10-29 20:12 <DIR> d-------- C:\Kaspersky
2007-10-29 11:33 <DIR> d-------- C:\temp\HP_WebRelease
2007-10-29 11:33 <DIR> d-------- C:\temp
2007-10-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-28 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 15:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-27 22:54 <DIR> d-------- C:\SRN Micro
2007-10-26 19:28 293,888 --a------ C:\WINDOWS\ocgrep.dll
2007-10-26 19:28 270,336 --a------ C:\WINDOWS\bxsbang.dll
2007-10-26 19:28 101,888 --a------ C:\WINDOWS\kthemup.exe
2007-10-24 18:55 <DIR> d-------- C:\Program Files\Presale
2007-10-20 11:58 <DIR> d-------- C:\Graphs
2007-10-20 11:46 13,312 --a------ C:\WINDOWS\system32\drivers\nnrnstdi.sys
2007-10-20 11:46 8,832 --a------ C:\WINDOWS\system32\drivers\km_filter.sys
2007-10-20 11:43 <DIR> d-------- C:\Program Files\NetRatingsNetSight
2007-10-20 11:43 49,152 --a------ C:\WINDOWS\nswatchdog.exe
2007-10-19 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Syntrillium
2007-10-19 16:48 <DIR> d-------- C:\Program Files\coolpro2
2007-10-18 18:37 713 --ah----- C:\os070469.bin
2007-10-18 18:22 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-10-15 11:46 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2007-10-15 11:46 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2007-10-15 11:45 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-10-15 11:44 <DIR> d-------- C:\Program Files\Replay Converter
2007-10-15 11:30 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-15 11:30 1,544,542 --a------ C:\WINDOWS\system32\avcodec.dll
2007-10-15 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-10-07 13:02 <DIR> d-------- C:\WINDOWS\Cache
2007-10-07 13:02 <DIR> d-------- C:\Program Files\Coupons
2007-10-07 13:02 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-10-06 11:43 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-06 11:43 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-06 11:43 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-06 11:43 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-06 11:43 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 17:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-05 17:20 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\SystemDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 00:51 --------- d-----w C:\Program Files\Save
2007-10-28 00:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-27 23:02 --------- d-----w C:\Program Files\Java
2007-10-23 14:37 --------- d-----w C:\Program Files\Winamp
2007-10-18 23:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 03:04 --------- d-----w C:\Program Files\America Online 9.0
2007-10-15 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 14:17 --------- d-----w C:\Program Files\PCFriendly
2007-10-06 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-03 01:36 53,648 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-18 22:56 --------- d-----w C:\Program Files\Musicnotes
2007-09-18 19:10 --------- d-----w C:\Program Files\iTunes
2007-09-18 19:10 --------- d-----w C:\Program Files\iPod
2007-09-18 19:04 --------- d-----w C:\Program Files\Apple Software Update
2007-09-18 19:03 --------- d-----w C:\Program Files\QuickTime
2007-09-16 14:48 --------- d-----w C:\Program Files\AIM6
2007-09-16 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-16 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-06 13:08 --------- d-----w C:\Documents and Settings\pattersonm\Application Data\HP
2005-10-18 12:18 44,632 ----a-w C:\Documents and Settings\pattersonm\Application Data\GDIPFONTCACHEV1.DAT
2007-03-09 07:12:32 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{123b04bd-7c85-472a-a103-33eb44412d70}]
2007-10-17 09:41 1498136 --a------ C:\Program Files\Presale\tbPres.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{123b04bd-7c85-472a-a103-33eb44412d70}"= C:\Program Files\Presale\tbPres.dll [2007-10-17 09:41 1498136]

[HKEY_CLASSES_ROOT\CLSID\{123b04bd-7c85-472a-a103-33eb44412d70}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{123B04BD-7C85-472A-A103-33EB44412D70}"= C:\Program Files\Presale\tbPres.dll [2007-10-17 09:41 1498136]

[HKEY_CLASSES_ROOT\CLSID\{123B04BD-7C85-472A-A103-33EB44412D70}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe" [2006-09-25 19:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 20:52]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-09-26 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 00:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 14:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2007-06-08 09:55]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"="C:\Program Files\Save\Save.exe" [2006-08-25 13:45]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-18 18:21:25]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-09-26 13:49:10]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-09-26 13:43:13]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-1309\Scripts\Logon\0\0]
"Script"=verclsid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-1309\Scripts\Logon\1\0]
"Script"=\\NBPS.NBPS.ORG\SysVol\NBPS.NBPS.ORG\scripts\audit_12.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-2725\Scripts\Logon\0\0]
"Script"=verclsid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-2725\Scripts\Logon\1\0]
"Script"=\\NBPS.NBPS.ORG\SysVol\NBPS.NBPS.ORG\scripts\audit_12.vbs


R1 nnrnstdi;nnrnstdi;C:\WINDOWS\system32\drivers\nnrnstdi.sys
R3 km_filter;km_filter;C:\WINDOWS\system32\drivers\km_filter.sys
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{522d07e8-af9e-11db-a120-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 13:26:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 08:02:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 8:03:18
C:\ComboFix2.txt ... 2007-10-31 20:40
.
--- E O F ---


Now I am gonna gert you that file.

#9 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 08:08 AM

The site for uploadmalware.com is not working for me. ???
I have a ticketmmaster presale toolbar which may be what the file is though.

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 10:33 AM

mel9589

Good job on Combofix.

The uploadmalware link is working now. Please upload the file.

It woukld seem that you are fimilar with this program ticketmmaster presale toolbar

Is this something you installed intentionally and wish to keep?
Posted Image
Microsoft MVP - Windows Security

#11 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 12:27 PM

Okay, I sent the file through the site.
I would like to keep the ticketmaster presale toolbar, unless there seems to be something fishy with it.
I did have it a while before these virus things started hapenning.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 01:22 PM

mel9589

I would like to keep the ticketmaster presale toolbar, unless there seems to be something fishy with it.
I did have it a while before these virus things started hapenning.

I wanted the file, because there is not a lot of research on it. It came up clean, but better safe than sorry.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\WINDOWS\764.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\uccspecc.sys
C:\WINDOWS\iun6002.exe
C:\WINDOWS\kthemup.exe
C:\WINDOWS\bxsbang.dll
C:\WINDOWS\ocgrep.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\ace16win.dll

Folder::
C:\Program Files\Save
C:\Program Files\Coupons

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BearShare"=-
[-HKEY_CLASSES_ROOT\CLSID\{123b04bd-7c85-472a-a103-33eb44412d70}]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#13 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 03:24 PM

ComboFix 07-11-01.1 - Administrator 2007-11-01 15:10:41.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bxsbang.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\kthemup.exe
C:\WINDOWS\ocgrep.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\uccspecc.sys
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Coupons
C:\Program Files\Coupons\Coupons.com.url
C:\Program Files\Coupons\uninstall.exe
C:\Program Files\Coupons\Uninstall\IRIMG1.JPG
C:\Program Files\Coupons\Uninstall\IRIMG2.JPG
C:\Program Files\Coupons\Uninstall\IRIMG3.JPG
C:\Program Files\Coupons\Uninstall\IRIMG4.JPG
C:\Program Files\Coupons\Uninstall\IRIMG5.JPG
C:\Program Files\Coupons\Uninstall\IRIMG6.JPG
C:\Program Files\Coupons\Uninstall\IRIMG7.JPG
C:\Program Files\Coupons\Uninstall\IRIMG8.JPG
C:\Program Files\Coupons\Uninstall\uninstall.dat
C:\Program Files\Coupons\Uninstall\uninstall.xml
C:\Program Files\Save
C:\Program Files\Save\ACM.dll
C:\Program Files\Save\extra.exe
C:\Program Files\Save\ffext.mod
C:\Program Files\Save\save.db
C:\Program Files\Save\Save.exe
C:\Program Files\Save\save.htm
C:\Program Files\Save\SaveUninst.exe
C:\Program Files\Save\store.db
C:\WINDOWS\bxsbang.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\kthemup.exe
C:\WINDOWS\ocgrep.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\uccspecc.sys

.
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-10-31 20:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 18:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-10-31 16:36 4,850 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-31 12:09 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-30 06:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 20:16 <DIR> d-------- C:\Downloads
2007-10-29 20:12 <DIR> d-------- C:\Kaspersky
2007-10-29 11:33 <DIR> d-------- C:\temp\HP_WebRelease
2007-10-29 11:33 <DIR> d-------- C:\temp
2007-10-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-28 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 15:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-27 22:54 <DIR> d-------- C:\SRN Micro
2007-10-24 18:55 <DIR> d-------- C:\Program Files\Presale
2007-10-20 11:58 <DIR> d-------- C:\Graphs
2007-10-20 11:46 13,312 --a------ C:\WINDOWS\system32\drivers\nnrnstdi.sys
2007-10-20 11:46 8,832 --a------ C:\WINDOWS\system32\drivers\km_filter.sys
2007-10-20 11:43 <DIR> d-------- C:\Program Files\NetRatingsNetSight
2007-10-20 11:43 49,152 --a------ C:\WINDOWS\nswatchdog.exe
2007-10-19 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Syntrillium
2007-10-19 16:48 <DIR> d-------- C:\Program Files\coolpro2
2007-10-18 18:37 713 --ah----- C:\os070469.bin
2007-10-18 18:22 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-10-15 11:46 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2007-10-15 11:46 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2007-10-15 11:44 <DIR> d-------- C:\Program Files\Replay Converter
2007-10-15 11:30 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-15 11:30 1,544,542 --a------ C:\WINDOWS\system32\avcodec.dll
2007-10-15 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-10-07 13:02 <DIR> d-------- C:\WINDOWS\Cache
2007-10-06 11:43 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-06 11:43 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-06 11:43 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-06 11:43 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-06 11:43 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 17:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-05 17:20 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\SystemDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 00:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-27 23:02 --------- d-----w C:\Program Files\Java
2007-10-23 14:37 --------- d-----w C:\Program Files\Winamp
2007-10-18 23:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 03:04 --------- d-----w C:\Program Files\America Online 9.0
2007-10-15 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 14:17 --------- d-----w C:\Program Files\PCFriendly
2007-10-06 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-03 01:36 53,648 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-18 22:56 --------- d-----w C:\Program Files\Musicnotes
2007-09-18 19:10 --------- d-----w C:\Program Files\iTunes
2007-09-18 19:10 --------- d-----w C:\Program Files\iPod
2007-09-18 19:04 --------- d-----w C:\Program Files\Apple Software Update
2007-09-18 19:03 --------- d-----w C:\Program Files\QuickTime
2007-09-16 14:48 --------- d-----w C:\Program Files\AIM6
2007-09-16 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-16 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-06 13:08 --------- d-----w C:\Documents and Settings\pattersonm\Application Data\HP
2005-10-18 12:18 44,632 ----a-w C:\Documents and Settings\pattersonm\Application Data\GDIPFONTCACHEV1.DAT
2007-03-09 07:12:32 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-31_20.38.48.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 17:00:52 130,423 ----a-w C:\WINDOWS\hpoins13.dat
+ 2007-11-01 14:08:55 130,423 ----a-w C:\WINDOWS\hpoins13.dat
+ 2007-11-01 20:22:16 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_b14.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{123b04bd-7c85-472a-a103-33eb44412d70}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe" [2006-09-25 19:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 20:52]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-09-26 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 00:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 14:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2007-06-08 09:55]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-18 18:21:25]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-09-26 13:49:10]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-09-26 13:43:13]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-1309\Scripts\Logon\0\0]
"Script"=verclsid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-1309\Scripts\Logon\1\0]
"Script"=\\NBPS.NBPS.ORG\SysVol\NBPS.NBPS.ORG\scripts\audit_12.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-2725\Scripts\Logon\0\0]
"Script"=verclsid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-789336058-162531612-682003330-2725\Scripts\Logon\1\0]
"Script"=\\NBPS.NBPS.ORG\SysVol\NBPS.NBPS.ORG\scripts\audit_12.vbs


R1 nnrnstdi;nnrnstdi;C:\WINDOWS\system32\drivers\nnrnstdi.sys
R3 km_filter;km_filter;C:\WINDOWS\system32\drivers\km_filter.sys
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{522d07e8-af9e-11db-a120-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 13:26:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 15:21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 15:24:14 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-01 08:03
C:\ComboFix3.txt ... 2007-10-31 20:40
.
--- E O F ---

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 04:07 PM

mel9589

Good job. Rerun Hijakthis and post a fresh Hijackthis log

And in your reply give me an update on how your PC is running.
Posted Image
Microsoft MVP - Windows Security

#15 mel9589

mel9589
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 01 November 2007 - 04:15 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:51 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {123b04bd-7c85-472a-a103-33eb44412d70} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {123b04bd-7c85-472a-a103-33eb44412d70} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: (no name) - {123b04bd-7c85-472a-a103-33eb44412d70} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1168559001\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193677725378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193678165140
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbabeld...zylomplayer.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CAB
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...d84c831d43d35df
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.com/ocx/VUploaderProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\Software\..\Telephony: DomainName = NBPS.NBPS.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3A44F5D-E215-4D90-B6EB-582DACC46703}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = NBPS.NBPS.ORG
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11257 bytes

The pop ups have stopped coming which is really good, but my background is still black with red writing that says Warning! Spyware threat has been detected on your PC. You have several fatal errors... and the such. It also lists an IP address.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users