Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Savetheinformation.com & Possibly Other Issues


  • Please log in to reply
18 replies to this topic

#1 LissM

LissM

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 03 November 2007 - 07:34 PM

Please give me a hand geting this machine cleaned up. I use it for work, so it is pretty urgent. I generally keep patches and security software pretty up-to-date, so I am fairly sure that it is a recent infection. Adaware won't complete. Search & Destroy won't install. Following is my HijackThis log. Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:25 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\lsemertr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Apoint\Apntex.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qhjwyhhi.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193022506875
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://localhost/oasis/Reserved.ReportView...OpType=PrintCab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\lsemertr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMSv3hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9909 bytes

BC AdBot (Login to Remove)

 


#2 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 03 November 2007 - 09:55 PM

While waiting for a response and reading some of the other similar topics, I decided to run vundofix and combofix. VundoFix didn't seem to really work. ComboFix worked...sort of. It all came back after a reboot. here are the logs from each followed by a new HJT log. Again, thanks in advance for your help!


VundoFix V6.5.11

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:49:01 PM 11/3/2007

Listing files found while scanning....

C:\windows\system32\byxxvtu.dll
C:\windows\system32\iacdhxmg.dll
C:\WINDOWS\system32\qhjwyhhi.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxxvtu.dll
C:\windows\system32\byxxvtu.dll Could not be deleted.

Attempting to delete C:\windows\system32\iacdhxmg.dll
C:\windows\system32\iacdhxmg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qhjwyhhi.dll
C:\WINDOWS\system32\qhjwyhhi.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxxvtu.dll
C:\windows\system32\byxxvtu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qhjwyhhi.dll
C:\WINDOWS\system32\qhjwyhhi.dll Could not be deleted.

Performing Repairs to the registry.
Done!



COMBOFIX

ComboFix 07-11-04.1 - Lissa 2007-11-03 20:42:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1390 [GMT -5:00]
Running from: C:\Documents and Settings\Lissa\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lissa\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Lissa\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Lissa\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Lissa\g2mdlhlpx.exe
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\system32\byxxvtu.dll
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.bak2
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lsemertr.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\qhjwyhhi.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 20:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 19:49 <DIR> d-------- C:\VundoFix Backups
2007-11-03 12:07 <DIR> d-------- C:\Documents and Settings\Lissa\.housecall6.6
2007-11-03 09:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-03 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 09:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 09:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 02:43 3,006 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 23:43 81,472 --a------ C:\WINDOWS\system32\kqfgxuwg.dll
2007-11-02 23:37 87,616 --a------ C:\WINDOWS\system32\wdeusxjn.dll
2007-11-02 23:28 340,032 --a------ C:\WINDOWS\system32\qhjwyhhi.dll
2007-11-02 11:25 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-02 11:25 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-02 11:18 35,840 --a------ C:\WINDOWS\mrofinu77.exe
2007-11-02 11:17 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-11-02 11:17 <DIR> d-------- C:\TEMP\mZOr
2007-10-31 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-10-31 09:39 <DIR> d-------- C:\Program Files\Common Files\HP
2007-10-31 09:30 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-10-31 09:30 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll
2007-10-31 09:28 827,392 -ra------ C:\WINDOWS\system32\hpotiop2.dll
2007-10-31 09:28 278,528 -ra------ C:\WINDOWS\system32\hpowiamd.dll
2007-10-31 09:28 258,122 -ra------ C:\WINDOWS\system32\hpovst09.dll
2007-10-31 09:28 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-10-31 09:28 6,784 --a------ C:\WINDOWS\system32\dllcache\serscan.sys
2007-10-31 09:18 89,329 --a------ C:\WINDOWS\hpoins06.dat
2007-10-31 09:18 5,389 --------- C:\WINDOWS\hpomdl06.dat
2007-10-31 09:17 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\HP
2007-10-25 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-10-25 16:27 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\System Tweaker
2007-10-25 08:07 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\Uniblue
2007-10-25 08:06 <DIR> d-------- C:\Program Files\Uniblue
2007-10-23 13:39 <DIR> d-------- C:\Program Files\Report Manager
2007-10-22 05:52 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-22 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-22 03:02 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2007-10-22 02:58 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2007-10-22 02:52 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU
2007-10-11 16:47 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-10 16:07 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\TortoiseSVN
2007-10-10 08:00 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 21:25 724,984 --a------ C:\Documents and Settings\Lissa\gotomypc_437.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-04 01:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 17:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 12:55 --------- d-----w C:\Program Files\dl_Cats
2007-10-31 14:39 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-31 13:10 --------- d-----w C:\Program Files\Lx_cats
2007-10-28 23:59 0 ---ha-w C:\Documents and Settings\Mike\hpothb07.dat
2007-10-28 23:58 1,452 ---ha-w C:\hpothb07.dat
2007-10-27 21:57 --------- d-----w C:\Documents and Settings\Mike\Application Data\Symantec
2007-10-26 01:00 --------- d-----w C:\Program Files\PartyGaming
2007-10-22 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-22 08:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-10-22 07:39 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-22 02:42 --------- d-----w C:\Program Files\Norton 360
2007-10-03 20:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 20:54 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 20:54 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 20:54 --------- d-----w C:\Program Files\Symantec
2007-10-02 13:27 --------- d-----w C:\Program Files\MSN Messenger
2007-09-29 03:57 --------- d-----w C:\Documents and Settings\Mike\Application Data\Subversion
2007-09-27 14:47 --------- d-----w C:\Program Files\e-Sword
2007-09-19 19:36 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-09-19 18:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-19 18:46 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-19 18:43 --------- d-----w C:\Program Files\Microsoft Analysis Services
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 16:08 --------- d-----w C:\Program Files\Citrix
2007-09-18 15:53 --------- d-----w C:\Documents and Settings\Lissa\Application Data\Subversion
2007-09-18 15:40 --------- d-----w C:\Program Files\TortoiseSVN
2007-09-17 20:41 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-17 01:47 --------- d-----w C:\Program Files\Wmomdemo
2007-09-13 08:00 --------- d-----w C:\Program Files\DivX
2007-09-11 14:18 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-09-11 14:17 --------- d-----w C:\Program Files\HP
2007-09-04 23:39 --------- d-----w C:\Program Files\Norton Security Scan
2007-07-30 02:29 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-11-13 13:37 563,712 ----a-w C:\Documents and Settings\Lissa\gotomypc_372.exe
2006-11-01 22:43 821 ---ha-w C:\Documents and Settings\Lissa\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\LISSANOTEBOOK\ASPNET\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-10-19 11:16 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-07-24 11:53 563,712 ----a-w C:\Documents and Settings\Lissa\gotomypc_370.exe
2006-01-10 15:27 563,712 ----a-w C:\Documents and Settings\Lissa\370_gotomypc.exe
2005-12-25 09:38 483,401 ----a-w C:\Documents and Settings\Lissa\314_gotomypc.exe
2005-09-01 18:34 483,401 ----a-w C:\Documents and Settings\Lissa\gotomypc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1642f6d4-718b-46cd-af23-d6188aca3911}]
2007-11-02 23:43 81472 --a------ C:\WINDOWS\system32\kqfgxuwg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-02 23:28 340032 --a------ C:\WINDOWS\system32\qhjwyhhi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\qhjwyhhi.dll [2007-11-02 23:28 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 21:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 07:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
"DLCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2006-10-20 17:50]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 13:44]
"koobe"="c:\program files\uppdvtddqzn\tgbbp.exe" [2006-09-10 15:23]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"e0ac4c33"="C:\WINDOWS\system32\wdeusxjn.dll" [2007-11-02 23:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue PowerSuite"="C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe" [2007-10-22 08:59]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 08:59]
"koobe"="c:\program files\uppdvtddqzn\tgbbp.exe" [2006-09-10 15:23]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2006-07-05 13:22:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qhjwyhhi]
qhjwyhhi.dll 2007-11-02 23:28 340032 C:\WINDOWS\system32\qhjwyhhi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjh.dll

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 02:20:10 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-10-25 21:39:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
"2007-10-25 21:39:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
"2007-10-25 23:48:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-11-04 02:20:15 C:\WINDOWS\Tasks\User_Feed_Synchronization-{0DF6990B-4264-46D2-BEFB-8AD4216508D0}.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 21:20:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2007-11-03 21:25:34 - machine was rebooted
.
--- E O F ---




HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:50 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {1193aca8-816d-32fa-dc64-b8174d6f2461} - {1642f6d4-718b-46cd-af23-d6188aca3911} - C:\WINDOWS\system32\kqfgxuwg.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qhjwyhhi.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qhjwyhhi.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193022506875
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://localhost/oasis/Reserved.ReportView...OpType=PrintCab
O20 - Winlogon Notify: qhjwyhhi - C:\WINDOWS\SYSTEM32\qhjwyhhi.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMSv3hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10701 bytes

#3 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 03 November 2007 - 10:42 PM

Ran VirtumunoBeGone. It seems better, but I would like some confirmation as to whether all is well. Here's VBG log and a new HJT.


[11/03/2007, 22:23:24] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Lissa\Desktop\VirtumundoBeGone.exe" )
[11/03/2007, 22:23:29] - Detected System Information:
[11/03/2007, 22:23:29] - Windows Version: 5.1.2600, Service Pack 2
[11/03/2007, 22:23:29] - Current Username: Lissa (Admin)
[11/03/2007, 22:23:29] - Windows is in SAFE mode with Networking.
[11/03/2007, 22:23:29] - Searching for Browser Helper Objects:
[11/03/2007, 22:23:29] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[11/03/2007, 22:23:29] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/03/2007, 22:23:29] - BHO 3: {1642f6d4-718b-46cd-af23-d6188aca3911} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - Checking for HKLM\...\Winlogon\Notify\kqfgxuwg
[11/03/2007, 22:23:29] - Key not found: HKLM\...\Winlogon\Notify\kqfgxuwg, continuing.
[11/03/2007, 22:23:29] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - Checking for HKLM\...\Winlogon\Notify\NppBho
[11/03/2007, 22:23:29] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[11/03/2007, 22:23:29] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[11/03/2007, 22:23:29] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - No filename found. Continuing.
[11/03/2007, 22:23:29] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[11/03/2007, 22:23:29] - BHO 8: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - Checking for HKLM\...\Winlogon\Notify\qhjwyhhi
[11/03/2007, 22:23:29] - Found: HKLM\...\Winlogon\Notify\qhjwyhhi - This is probably Virtumundo.
[11/03/2007, 22:23:29] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
[11/03/2007, 22:23:29] - BHO list has been changed! Starting over...
[11/03/2007, 22:23:29] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[11/03/2007, 22:23:29] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/03/2007, 22:23:29] - BHO 3: {1642f6d4-718b-46cd-af23-d6188aca3911} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - Checking for HKLM\...\Winlogon\Notify\kqfgxuwg
[11/03/2007, 22:23:29] - Key not found: HKLM\...\Winlogon\Notify\kqfgxuwg, continuing.
[11/03/2007, 22:23:29] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - Checking for HKLM\...\Winlogon\Notify\NppBho
[11/03/2007, 22:23:29] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[11/03/2007, 22:23:29] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[11/03/2007, 22:23:29] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[11/03/2007, 22:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:29] - No filename found. Continuing.
[11/03/2007, 22:23:29] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[11/03/2007, 22:23:29] - BHO 8: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[11/03/2007, 22:23:29] - ALERT: Found MSEvents Object!
[11/03/2007, 22:23:29] - Finished Searching Browser Helper Objects
[11/03/2007, 22:23:29] - *** Detected MSEvents Object
[11/03/2007, 22:23:29] - Trying to remove MSEvents Object...
[11/03/2007, 22:23:30] - Terminating Process: IEXPLORE.EXE
[11/03/2007, 22:23:31] - Terminating Process: RUNDLL32.EXE
[11/03/2007, 22:23:31] - Disabling Automatic Shell Restart
[11/03/2007, 22:23:31] - Terminating Process: EXPLORER.EXE
[11/03/2007, 22:23:31] - Suspending the NT Session Manager System Service
[11/03/2007, 22:23:31] - Terminating Windows NT Logon/Logoff Manager
[11/03/2007, 22:23:31] - Re-enabling Automatic Shell Restart
[11/03/2007, 22:23:31] - File to disable: C:\WINDOWS\system32\qhjwyhhi.dll
[11/03/2007, 22:23:31] - Renaming C:\WINDOWS\system32\qhjwyhhi.dll -> C:\WINDOWS\system32\qhjwyhhi.dll.vir
[11/03/2007, 22:23:32] - File successfully renamed!
[11/03/2007, 22:23:32] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[11/03/2007, 22:23:32] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[11/03/2007, 22:23:32] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
[11/03/2007, 22:23:32] - Deleting ATLEvents/MSEvents Registry entries
[11/03/2007, 22:23:32] - Removing HKLM\...\Winlogon\Notify\qhjwyhhi
[11/03/2007, 22:23:32] - Searching for Browser Helper Objects:
[11/03/2007, 22:23:32] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[11/03/2007, 22:23:32] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/03/2007, 22:23:32] - BHO 3: {1642f6d4-718b-46cd-af23-d6188aca3911} ()
[11/03/2007, 22:23:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:32] - Checking for HKLM\...\Winlogon\Notify\kqfgxuwg
[11/03/2007, 22:23:32] - Key not found: HKLM\...\Winlogon\Notify\kqfgxuwg, continuing.
[11/03/2007, 22:23:32] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[11/03/2007, 22:23:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:32] - Checking for HKLM\...\Winlogon\Notify\NppBho
[11/03/2007, 22:23:32] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[11/03/2007, 22:23:32] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[11/03/2007, 22:23:32] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[11/03/2007, 22:23:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/03/2007, 22:23:32] - No filename found. Continuing.
[11/03/2007, 22:23:32] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[11/03/2007, 22:23:32] - Finished Searching Browser Helper Objects
[11/03/2007, 22:23:32] - Finishing up...
[11/03/2007, 22:23:32] - A restart is needed.
[11/03/2007, 22:23:32] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[11/03/2007, 22:23:40] - Attempting to Restart via STOP error (Blue Screen!)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:31 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {1193aca8-816d-32fa-dc64-b8174d6f2461} - {1642f6d4-718b-46cd-af23-d6188aca3911} - C:\WINDOWS\system32\kqfgxuwg.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qhjwyhhi.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193022506875
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://localhost/oasis/Reserved.ReportView...OpType=PrintCab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMSv3hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10339 bytes

#4 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 04 November 2007 - 10:33 AM

Have made progress on my own...Please don't reply here. I'm going to open a new topic with details of the current situation. Thanks!

#5 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 04 November 2007 - 11:33 PM

Staff edit: Reopened and merged new thread. Please keep all posts about the same issue in one topic. PK

Hi!

Can you please take a look at my HJT log and verify that I got everything cleaned? Had a suspicious pop-up today with makes me think that I missed something when cleaning my system.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:45 PM, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\dllhost.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {1193aca8-816d-32fa-dc64-b8174d6f2461} - {1642f6d4-718b-46cd-af23-d6188aca3911} - C:\WINDOWS\system32\kqfgxuwg.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [e0ac4c33] rundll32.exe "C:\WINDOWS\system32\wdeusxjn.dll",b
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-273579162-423013002-2840882030-1011\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'ASPNET')
O4 - HKUS\S-1-5-21-273579162-423013002-2840882030-1011\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'ASPNET')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193022506875
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://localhost/oasis/Reserved.ReportView...OpType=PrintCab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMSv3hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11787 bytes

Edited by Papakid, 12 November 2007 - 11:51 AM.


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 12 November 2007 - 12:29 PM

Hi LissM,

As explained in the mod edit above, I've reopened this topic and merged your new one. When doing troubleshooting of any kind it is helpful to have a history of both the issue and what you've done to resolve it, so making a new thread doesn't really accomplish anything. When I find out which mod closed this thread, I'll have them tied to the whipping post :thumbsup: --I'm KIDDING.

First let me apologize for the fact that you have not received a quick answer and thus have been attempting to clean this infection on your own. Doing that, including following instructions in someone else's log thread, is not recommended, especially the use of ComboFix without the direct supervison of a malware removal specialist. CF along with some other tools we use are very powerful, malware writers are very clever, so the combination can have dire consequences without some knowledge and experience that the staff has to guide you.

That being said, you did a pretty fair job of removing Vundo but there are still some leftovers present. Just please understand that all malware removal forums are overwhelmed by the number of people needing help and BC is no exception.

For now please do the following:

Delete your copy of ComboFix.exe, or if it is still on your desktop, allow the new copy to overwrite the old as I want you to download and run the latest version.

Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply along with a new HijackThis log.

The thing about people

is they change

when they walk away.--Mipso


#7 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 13 November 2007 - 08:41 PM

Thanks for helping me out! Here's the ComboFix Log. HJT log is coming up!

ComboFix 07-11-08.1 - Lissa 2007-11-13 19:28:55.3 - NTFSx86
Running from: C:\Documents and Settings\Lissa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-04 11:01 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-04 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 19:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 18:49 <DIR> d-------- C:\VundoFix Backups
2007-11-03 11:07 <DIR> d-------- C:\Documents and Settings\Lissa\.housecall6.6
2007-11-03 08:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 08:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 01:43 3,006 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 22:43 81,472 --a------ C:\WINDOWS\system32\kqfgxuwg.dll
2007-11-02 22:37 87,616 --a------ C:\WINDOWS\system32\wdeusxjn.dll
2007-11-02 10:25 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-02 10:25 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-02 10:18 35,840 --a------ C:\WINDOWS\mrofinu77.exe
2007-11-02 10:17 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-11-02 10:17 <DIR> d-------- C:\TEMP\mZOr
2007-10-31 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-10-31 08:39 <DIR> d-------- C:\Program Files\Common Files\HP
2007-10-31 08:30 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-10-31 08:30 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll
2007-10-31 08:28 827,392 -ra------ C:\WINDOWS\system32\hpotiop2.dll
2007-10-31 08:28 278,528 -ra------ C:\WINDOWS\system32\hpowiamd.dll
2007-10-31 08:28 258,122 -ra------ C:\WINDOWS\system32\hpovst09.dll
2007-10-31 08:28 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-10-31 08:28 6,784 --a------ C:\WINDOWS\system32\dllcache\serscan.sys
2007-10-31 08:18 89,329 --a------ C:\WINDOWS\hpoins06.dat
2007-10-31 08:18 5,389 --------- C:\WINDOWS\hpomdl06.dat
2007-10-31 08:17 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\HP
2007-10-25 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-10-25 15:27 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\System Tweaker
2007-10-25 07:07 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\Uniblue
2007-10-25 07:06 <DIR> d-------- C:\Program Files\Uniblue
2007-10-23 12:39 <DIR> d-------- C:\Program Files\Report Manager
2007-10-22 04:52 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-22 02:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-22 02:02 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2007-10-22 01:58 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2007-10-22 01:52 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-12 03:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 14:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 16:44 --------- d-----w C:\Program Files\Radium Technologies
2007-11-04 16:40 --------- d-----w C:\Program Files\Coupons
2007-11-01 12:55 --------- d-----w C:\Program Files\dl_Cats
2007-10-31 14:39 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-31 13:10 --------- d-----w C:\Program Files\Lx_cats
2007-10-28 23:59 0 ---ha-w C:\Documents and Settings\Mike\hpothb07.dat
2007-10-28 23:58 1,452 ---ha-w C:\hpothb07.dat
2007-10-27 21:57 --------- d-----w C:\Documents and Settings\Mike\Application Data\Symantec
2007-10-26 01:00 --------- d-----w C:\Program Files\PartyGaming
2007-10-22 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-22 08:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-10-22 07:39 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-22 02:42 --------- d-----w C:\Program Files\Norton 360
2007-10-11 21:47 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-10 21:08 --------- d-----w C:\Documents and Settings\Lissa\Application Data\TortoiseSVN
2007-10-05 02:25 724,984 ----a-w C:\Documents and Settings\Lissa\gotomypc_437.exe
2007-10-03 20:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 20:54 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 20:54 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 20:54 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 20:54 --------- d-----w C:\Program Files\Symantec
2007-10-02 13:27 --------- d-----w C:\Program Files\MSN Messenger
2007-09-29 03:57 --------- d-----w C:\Documents and Settings\Mike\Application Data\Subversion
2007-09-27 14:47 --------- d-----w C:\Program Files\e-Sword
2007-09-19 19:36 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-09-19 18:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-19 18:46 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-19 18:43 --------- d-----w C:\Program Files\Microsoft Analysis Services
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 16:08 --------- d-----w C:\Program Files\Citrix
2007-09-18 15:53 --------- d-----w C:\Documents and Settings\Lissa\Application Data\Subversion
2007-09-18 15:40 --------- d-----w C:\Program Files\TortoiseSVN
2007-09-17 20:41 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-17 01:47 --------- d-----w C:\Program Files\Wmomdemo
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 02:29 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-11-13 13:37 563,712 ----a-w C:\Documents and Settings\Lissa\gotomypc_372.exe
2006-11-01 22:43 821 ---ha-w C:\Documents and Settings\Lissa\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\LISSANOTEBOOK\ASPNET\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-10-19 11:16 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-07-24 11:53 563,712 ----a-w C:\Documents and Settings\Lissa\gotomypc_370.exe
2006-01-10 15:27 563,712 ----a-w C:\Documents and Settings\Lissa\370_gotomypc.exe
2005-12-25 09:38 483,401 ----a-w C:\Documents and Settings\Lissa\314_gotomypc.exe
2005-09-01 18:34 483,401 ----a-w C:\Documents and Settings\Lissa\gotomypc.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.23.01.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 00:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2002-07-25 23:13:18 24,576 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.dll
+ 2002-07-26 00:13:18 24,576 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.dll
- 2002-07-25 23:13:12 196,608 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.exe
+ 2002-07-26 00:13:12 196,608 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.exe
- 2004-06-16 11:02:10 323,584 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
+ 2004-06-16 12:02:10 323,584 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
- 2007-02-10 10:29:28 576,368 ----a-w C:\WINDOWS\Downloaded Program Files\RSClientPrint.dll
+ 2007-02-10 11:29:28 576,368 ----a-w C:\WINDOWS\Downloaded Program Files\RSClientPrint.dll
- 2007-10-27 17:39:57 25,214 ----a-r C:\WINDOWS\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
+ 2007-11-13 05:02:04 25,214 ----a-r C:\WINDOWS\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
+ 2007-11-13 02:52:28 20,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Code.9ccwt-us.dll
+ 2007-11-13 18:57:10 21,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Web_21edmga0.dll
+ 2007-11-13 04:30:26 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Web_4juieuv3.dll
+ 2007-11-13 02:52:33 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Web_sjqsyqmz.dll
+ 2007-11-07 05:15:12 20,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasiscrescent\4285bbb0\152e2ba4\App_Code.ypbaznez.dll
+ 2007-11-07 05:15:55 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasiscrescent\4285bbb0\152e2ba4\App_Web_bocatawz.dll
+ 2007-11-08 19:32:37 24,064 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasiscrescent\4285bbb0\152e2ba4\App_Web_qwq3rml0.dll
- 2006-07-20 18:24:38 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
+ 2007-09-13 00:27:24 511,328 ----a-w C:\WINDOWS\system32\capicom.dll
- 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-07-11 20:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
- 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 19:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
- 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-08-07 19:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2007-11-04 02:21:53 239,783 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-14 01:19:48 241,162 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2004-09-01 16:56:46 1,060,864 ----a-w C:\WINDOWS\system32\mfc71.dll
+ 2007-03-22 02:39:00 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.DLL
- 2007-06-26 01:22:09 118,784 ----a-w C:\WINDOWS\system32\mssunkere.dll
+ 2006-04-19 14:24:25 118,784 ----a-w C:\WINDOWS\system32\mssunkere.dll
- 2003-09-16 15:07:16 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
+ 2007-03-22 02:33:00 503,808 ----a-w C:\WINDOWS\system32\MSVCP71.DLL
- 2003-09-09 19:06:48 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
+ 2007-03-22 02:33:00 348,160 ----a-w C:\WINDOWS\system32\MSVCR71.DLL
- 2006-11-30 02:11:34 9,841 ----a-w C:\WINDOWS\system32\mswsnnote.dll
+ 2006-11-09 14:27:18 9,841 ----a-w C:\WINDOWS\system32\mswsnnote.dll
- 2007-10-22 13:59:13 111,288 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 15:23:05 111,314 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-22 13:59:13 543,370 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 15:23:05 543,396 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 00:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-11-14 01:16:42 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_918.dat
+ 2007-11-14 01:16:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c50.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1642f6d4-718b-46cd-af23-d6188aca3911}]
2007-11-02 22:43 81472 --a------ C:\WINDOWS\system32\kqfgxuwg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 20:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 06:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12]
"e0ac4c33"="C:\WINDOWS\system32\wdeusxjn.dll" [2007-11-02 22:37]
"DLCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2006-10-20 16:50]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 12:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue PowerSuite"="C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe" [2007-10-22 07:59]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 07:59]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2006-07-05 12:22:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe"
R2 SMSv3hs;SMSv3hs;C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe -service
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 01:35:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-05 04:43:22 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
"2007-10-25 21:39:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
"2007-10-25 23:48:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-11-14 01:35:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{0DF6990B-4264-46D2-BEFB-8AD4216508D0}.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 19:37:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2007-11-13 19:39:19
C:\ComboFix2.txt ... 2007-11-03 22:05
C:\ComboFix3.txt ... 2007-11-03 20:25
.
--- E O F ---

#8 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 13 November 2007 - 08:44 PM

Here's the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:42 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {1193aca8-816d-32fa-dc64-b8174d6f2461} - {1642f6d4-718b-46cd-af23-d6188aca3911} - C:\WINDOWS\system32\kqfgxuwg.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [e0ac4c33] rundll32.exe "C:\WINDOWS\system32\wdeusxjn.dll",b
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193022506875
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://secure4.mergeapps.com/OASISTEST/Res...OpType=PrintCab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMSv3hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11075 bytes

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 14 November 2007 - 12:29 AM

Well, you're welcome for the help. There is still a little left that is active but shouldn't' take long to get rid of it.

Could you do me a favor first tho--go to Add/Remove programs via Control Panel and tell me if SpyGuardPro is listed? If so, please uninstall it.

Before performing this next step, please disable Spybot's TeaTimer as it may interfere with removal.

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]


1. Click Start, then Run and type Notepad and click OK.

2. Now copy/paste the entire contents of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/114951/savetheinformationcom-possibly-other-issues/?p=661348

File::
C:\WINDOWS\system32\kqfgxuwg.dll
C:\WINDOWS\system32\wdeusxjn.dll
C:\WINDOWS\mrofinu77.exe

Dirlook:
C:\Program Files\SpyGuardPro
C:\WINDOWS\system32\Mz08r
C:\TEMP\mZOr

Suspect::[1]
C:\WINDOWS\system32\msxml3a.dll]

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1642f6d4-718b-46cd-af23-d6188aca3911}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e0ac4c33"=-

3. Name the Notepad file CFScript.txt and Save it to your desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. ComboFix will generate the following files on your desktop
-A zipped file on your desktop called Submit [Date Time].zip
-And another file named - CF-Submit.htm<--don't concern yourself with this one
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
-Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
-Click on the file to Select it.
-Submit the file by clicking "OK"
10. Once the file has been submitted, you may DELETE both files on your desktop.
11. Post the ComboFix.log contents in your next reply.


Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Please perform this online scan: Kaspersky Webscan
Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Please post back with the logs I've asked for along with the information about uninstalling SpyGuardPro along with a new hijackThis log.

The thing about people

is they change

when they walk away.--Mipso


#10 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 14 November 2007 - 10:45 PM

SpyGuardPro was not in Add/Remove Programs. I'm not sure if I mentioned this, but I caught the install when it started and cancelled it. It never existed in Add/Remove Programs because the install didn't finish running. I did double check it for you though.

Unchecked TeaTimer from the Resident tab. It did not exist on the System Startup List in S&D.

Created your script and ran ComboFix with it. Following is the ComboFix log. It did NOT create the zip file or the html file. Because of that, I decided NOT to complete the other steps until I heard form you again. Please let me know whether to continue or try running ComboFix again to get the zip file.

Thanks ~Liss




ComboFix 07-11-08.1 - Lissa 2007-11-14 21:02:54.4 - NTFSx86
Running from: C:\Documents and Settings\Lissa\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lissa\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\SpyGuardPro
C:\TEMP\mZOr
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\system32\kqfgxuwg.dll
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\wdeusxjn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\system32\kqfgxuwg.dll
C:\WINDOWS\system32\wdeusxjn.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-04 11:01 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-04 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 19:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 18:49 <DIR> d-------- C:\VundoFix Backups
2007-11-03 11:07 <DIR> d-------- C:\Documents and Settings\Lissa\.housecall6.6
2007-11-03 08:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 08:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 01:43 3,006 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 10:25 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-02 10:25 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-02 10:17 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-11-02 10:17 <DIR> d-------- C:\TEMP\mZOr
2007-10-31 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-10-31 08:39 <DIR> d-------- C:\Program Files\Common Files\HP
2007-10-31 08:30 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-10-31 08:30 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll
2007-10-31 08:28 827,392 -ra------ C:\WINDOWS\system32\hpotiop2.dll
2007-10-31 08:28 278,528 -ra------ C:\WINDOWS\system32\hpowiamd.dll
2007-10-31 08:28 258,122 -ra------ C:\WINDOWS\system32\hpovst09.dll
2007-10-31 08:28 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-10-31 08:28 6,784 --a------ C:\WINDOWS\system32\dllcache\serscan.sys
2007-10-31 08:18 89,329 --a------ C:\WINDOWS\hpoins06.dat
2007-10-31 08:18 5,389 --------- C:\WINDOWS\hpomdl06.dat
2007-10-31 08:17 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\HP
2007-10-25 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-10-25 15:27 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\System Tweaker
2007-10-25 07:07 <DIR> d-------- C:\Documents and Settings\Lissa\Application Data\Uniblue
2007-10-25 07:06 <DIR> d-------- C:\Program Files\Uniblue
2007-10-23 12:39 <DIR> d-------- C:\Program Files\Report Manager
2007-10-22 04:52 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-22 02:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-22 02:02 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2007-10-22 01:58 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2007-10-22 01:52 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-12 03:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 14:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 16:44 --------- d-----w C:\Program Files\Radium Technologies
2007-11-04 16:40 --------- d-----w C:\Program Files\Coupons
2007-11-01 12:55 --------- d-----w C:\Program Files\dl_Cats
2007-10-31 14:39 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-31 13:10 --------- d-----w C:\Program Files\Lx_cats
2007-10-28 23:59 0 ---ha-w C:\Documents and Settings\Mike\hpothb07.dat
2007-10-28 23:58 1,452 ---ha-w C:\hpothb07.dat
2007-10-27 21:57 --------- d-----w C:\Documents and Settings\Mike\Application Data\Symantec
2007-10-26 01:00 --------- d-----w C:\Program Files\PartyGaming
2007-10-22 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-22 08:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-10-22 07:39 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-22 02:42 --------- d-----w C:\Program Files\Norton 360
2007-10-10 21:08 --------- d-----w C:\Documents and Settings\Lissa\Application Data\TortoiseSVN
2007-10-05 02:25 724,984 ----a-w C:\Documents and Settings\Lissa\gotomypc_437.exe
2007-10-03 20:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 20:54 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 20:54 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 20:54 --------- d-----w C:\Program Files\Symantec
2007-10-02 13:27 --------- d-----w C:\Program Files\MSN Messenger
2007-09-29 03:57 --------- d-----w C:\Documents and Settings\Mike\Application Data\Subversion
2007-09-27 14:47 --------- d-----w C:\Program Files\e-Sword
2007-09-19 19:36 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-09-19 18:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-19 18:46 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-19 18:43 --------- d-----w C:\Program Files\Microsoft Analysis Services
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 16:08 --------- d-----w C:\Program Files\Citrix
2007-09-18 15:53 --------- d-----w C:\Documents and Settings\Lissa\Application Data\Subversion
2007-09-18 15:40 --------- d-----w C:\Program Files\TortoiseSVN
2007-09-17 20:41 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-17 01:47 --------- d-----w C:\Program Files\Wmomdemo
2007-07-30 02:29 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-11-13 13:37 563,712 ----a-w C:\Documents and Settings\Lissa\gotomypc_372.exe
2006-11-01 22:43 821 ---ha-w C:\Documents and Settings\Lissa\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\LISSANOTEBOOK\ASPNET\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-10-19 11:18 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-10-19 11:16 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-07-24 11:53 563,712 ----a-w C:\Documents and Settings\Lissa\gotomypc_370.exe
2006-01-10 15:27 563,712 ----a-w C:\Documents and Settings\Lissa\370_gotomypc.exe
2005-12-25 09:38 483,401 ----a-w C:\Documents and Settings\Lissa\314_gotomypc.exe
2005-09-01 18:34 483,401 ----a-w C:\Documents and Settings\Lissa\gotomypc.exe
.

((((((((((((((((((((((((((((( snapshot_2007-11-13_19.37.27.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-14 15:08:53 20,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Code.1nberzya.dll
+ 2007-11-14 15:27:17 21,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Web_soayes5q.dll
+ 2007-11-14 15:08:56 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\oasis\9d711d2f\dd87c7d9\App_Web_xjszolnu.dll
- 2007-11-14 01:19:48 241,162 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-15 03:14:34 241,166 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-15 03:14:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_944.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 20:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 06:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12]
"DLCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2006-10-20 16:50]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 12:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue PowerSuite"="C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe" [2007-10-22 07:59]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 07:59]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2006-07-05 12:22:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R2 SMSv3hs;SMSv3hs;C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe"
S3 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe -service
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 03:15:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-05 04:43:22 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
"2007-10-25 21:39:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
"2007-10-25 23:48:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-11-15 03:15:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{0DF6990B-4264-46D2-BEFB-8AD4216508D0}.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 21:14:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2007-11-14 21:19:20 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-13 19:39
C:\ComboFix3.txt ... 2007-11-03 22:05
.
--- E O F ---

#11 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 16 November 2007 - 01:50 PM

Ran SUPERAntiSpyware. Here's the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/16/2007 at 12:25 PM

Application Version : 3.9.1008

Core Rules Database Version : 3345
Trace Rules Database Version: 1346

Scan type : Complete Scan
Total Scan Time : 04:22:49

Memory items scanned : 663
Memory threats detected : 0
Registry items scanned : 7871
Registry threats detected : 3
File items scanned : 92795
File threats detected : 248

Adware.Tracking Cookie
C:\Documents and Settings\Lissa\Cookies\lissa@mediaplex[2].txt
C:\Documents and Settings\Lissa\Cookies\lissa@specificclick[1].txt
C:\Documents and Settings\Lissa\Cookies\lissa@2o7[2].txt
C:\Documents and Settings\Lissa\Cookies\lissa@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\Lissa\Cookies\lissa@msnportal.112.2o7[1].txt
C:\Documents and Settings\Lissa\Cookies\lissa@ads.pointroll[1].txt
C:\Documents and Settings\Lissa\Cookies\lissa@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\Lissa\Cookies\lissa@atdmt[3].txt
C:\Documents and Settings\Lissa\Cookies\lissa@doubleclick[1].txt
C:\Documents and Settings\Lissa\Cookies\lissa@atdmt[1].txt
C:\Documents and Settings\Mike\Cookies\mike@1.adbrite[1].txt
C:\Documents and Settings\Mike\Cookies\mike@112.2o7[2].txt
C:\Documents and Settings\Mike\Cookies\mike@2.adbrite[1].txt
C:\Documents and Settings\Mike\Cookies\mike@247realmedia[2].txt
C:\Documents and Settings\Mike\Cookies\mike@2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@3.adbrite[1].txt
C:\Documents and Settings\Mike\Cookies\mike@4.adbrite[2].txt
C:\Documents and Settings\Mike\Cookies\mike@a.websponsors[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.accelerator-media[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.bannerconnect[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.thehill[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.yieldmanager[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ad1.clickhype[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad2.adnetinteractive[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adbrite[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adecn[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adinterax[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adknowledge[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adlegend[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adopt.euroclick[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adopt.specificclick[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adrevolver[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.adbrite[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.ak.facebook[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.belointeractive[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.bmezine[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.bridgetrack[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.cnn[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.cnn[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.contactmusic[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.hairboutique[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.infinite-ads[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.pointroll[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.realtechnetwork[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.realtechnetwork[3].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.revsci[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.shopthescene[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads5.offermatica[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adserver.adreactor[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adserver.janesguide[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adserver4.teracent[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adserving.autotrader[2].txt
C:\Documents and Settings\Mike\Cookies\mike@adtech[1].txt
C:\Documents and Settings\Mike\Cookies\mike@advertising[1].txt
C:\Documents and Settings\Mike\Cookies\mike@anad.tacoda[1].txt
C:\Documents and Settings\Mike\Cookies\mike@anat.tacoda[1].txt
C:\Documents and Settings\Mike\Cookies\mike@anm.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@apmebf[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ar.atwola[1].txt
C:\Documents and Settings\Mike\Cookies\mike@as-eu.falkag[1].txt
C:\Documents and Settings\Mike\Cookies\mike@as.casalemedia[1].txt
C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt
C:\Documents and Settings\Mike\Cookies\mike@atwola[1].txt
C:\Documents and Settings\Mike\Cookies\mike@azjmp[2].txt
C:\Documents and Settings\Mike\Cookies\mike@banner.adtrgt[2].txt
C:\Documents and Settings\Mike\Cookies\mike@barenaked[2].txt
C:\Documents and Settings\Mike\Cookies\mike@bellglobemediapublishing.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@belnk[1].txt
C:\Documents and Settings\Mike\Cookies\mike@bluestreak[2].txt
C:\Documents and Settings\Mike\Cookies\mike@board.barenaked[1].txt
C:\Documents and Settings\Mike\Cookies\mike@brightcove.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@bs.serving-sys[2].txt
C:\Documents and Settings\Mike\Cookies\mike@burstnet[1].txt
C:\Documents and Settings\Mike\Cookies\mike@casalemedia[1].txt
C:\Documents and Settings\Mike\Cookies\mike@cbcnewmedia.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@cbs.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@cc.bridgetrack[1].txt
C:\Documents and Settings\Mike\Cookies\mike@citi.bridgetrack[2].txt
C:\Documents and Settings\Mike\Cookies\mike@clickbank[2].txt
C:\Documents and Settings\Mike\Cookies\mike@clicktorrent[1].txt
C:\Documents and Settings\Mike\Cookies\mike@cnn.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@collective-media[1].txt
C:\Documents and Settings\Mike\Cookies\mike@counter15.sextracker[1].txt
C:\Documents and Settings\Mike\Cookies\mike@counter3.sextracker[1].txt
C:\Documents and Settings\Mike\Cookies\mike@counter4.sextracker[1].txt
C:\Documents and Settings\Mike\Cookies\mike@counter6.sextracker[1].txt
C:\Documents and Settings\Mike\Cookies\mike@counter7.sextracker[1].txt
C:\Documents and Settings\Mike\Cookies\mike@cpvfeed[2].txt
C:\Documents and Settings\Mike\Cookies\mike@cz5.clickzs[1].txt
C:\Documents and Settings\Mike\Cookies\mike@data1.perf.overture[1].txt
C:\Documents and Settings\Mike\Cookies\mike@data2.perf.overture[2].txt
C:\Documents and Settings\Mike\Cookies\mike@data3.perf.overture[1].txt
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@dowjones.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@drnatura.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@e-2dj6wfkikldzkbo.stats.esomniture[2].txt
C:\Documents and Settings\Mike\Cookies\mike@e-2dj6wfl4gpcjgep.stats.esomniture[2].txt
C:\Documents and Settings\Mike\Cookies\mike@eas.apm.emediate[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-associatednewmedia.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-billgrahamarchives.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-comcast.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-crain.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-foundation.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-foxsports.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-harleydavidson.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-hollywood.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-independent.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-knightridder.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-legacy.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-mh.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-northjerseymediagroup.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-onestopinternet.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-pharmacia.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-space.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-txchild.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-viacom.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@eyeblast.adbureau[2].txt
C:\Documents and Settings\Mike\Cookies\mike@eyewonder[2].txt
C:\Documents and Settings\Mike\Cookies\mike@fastclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@fdau.adbureau[2].txt
C:\Documents and Settings\Mike\Cookies\mike@flycellcom.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ford.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@fortunecity[2].txt
C:\Documents and Settings\Mike\Cookies\mike@free-lesbian-porn-preview[2].txt
C:\Documents and Settings\Mike\Cookies\mike@freecodesource.advertserve[1].txt
C:\Documents and Settings\Mike\Cookies\mike@gostats[2].txt
C:\Documents and Settings\Mike\Cookies\mike@herfirstlesbiansex[2].txt
C:\Documents and Settings\Mike\Cookies\mike@hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@homestore.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@hotbargainproperties[1].txt
C:\Documents and Settings\Mike\Cookies\mike@i.screensavers[1].txt
C:\Documents and Settings\Mike\Cookies\mike@icc.intellisrv[2].txt
C:\Documents and Settings\Mike\Cookies\mike@imrworldwide[1].txt
C:\Documents and Settings\Mike\Cookies\mike@journalregistercompany.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@kanoodle[2].txt
C:\Documents and Settings\Mike\Cookies\mike@keywordmax[1].txt
C:\Documents and Settings\Mike\Cookies\mike@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@livenation.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@login.tracking101[2].txt
C:\Documents and Settings\Mike\Cookies\mike@lynxtrack[1].txt
C:\Documents and Settings\Mike\Cookies\mike@marketworksinc.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@maxserving[1].txt
C:\Documents and Settings\Mike\Cookies\mike@mcclatchy.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@media-general[2].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[10].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[1].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[2].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[3].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[4].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[5].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[6].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[7].txt
C:\Documents and Settings\Mike\Cookies\mike@media.adrevolver[8].txt
C:\Documents and Settings\Mike\Cookies\mike@media.the-leaky-cauldron[2].txt
C:\Documents and Settings\Mike\Cookies\mike@mediabistro[2].txt
C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt
C:\Documents and Settings\Mike\Cookies\mike@mediaservices.myspace[1].txt
C:\Documents and Settings\Mike\Cookies\mike@mediaspin[2].txt
C:\Documents and Settings\Mike\Cookies\mike@msnportal.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@nasdaq.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@nextag[2].txt
C:\Documents and Settings\Mike\Cookies\mike@nielsen.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@offers.intermediainteractive[2].txt
C:\Documents and Settings\Mike\Cookies\mike@omniturechannel.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@optimize.indieclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@orgysexparties[2].txt
C:\Documents and Settings\Mike\Cookies\mike@overture[2].txt
C:\Documents and Settings\Mike\Cookies\mike@partner2profit[1].txt
C:\Documents and Settings\Mike\Cookies\mike@partypoker[2].txt
C:\Documents and Settings\Mike\Cookies\mike@penelopestats[2].txt
C:\Documents and Settings\Mike\Cookies\mike@perf.overture[1].txt
C:\Documents and Settings\Mike\Cookies\mike@popularscreensavers[1].txt
C:\Documents and Settings\Mike\Cookies\mike@precisionclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@programs.wegcash[2].txt
C:\Documents and Settings\Mike\Cookies\mike@qksrv[1].txt
C:\Documents and Settings\Mike\Cookies\mike@qnsr[1].txt
C:\Documents and Settings\Mike\Cookies\mike@questionmarket[1].txt
C:\Documents and Settings\Mike\Cookies\mike@realmedia.co[1].txt
C:\Documents and Settings\Mike\Cookies\mike@realmedia[2].txt
C:\Documents and Settings\Mike\Cookies\mike@reduxads.valuead[1].txt
C:\Documents and Settings\Mike\Cookies\mike@revenue[1].txt
C:\Documents and Settings\Mike\Cookies\mike@revsci[1].txt
C:\Documents and Settings\Mike\Cookies\mike@richmedia.yahoo[2].txt
C:\Documents and Settings\Mike\Cookies\mike@roiservice[2].txt
C:\Documents and Settings\Mike\Cookies\mike@rotabanner2.rian[1].txt
C:\Documents and Settings\Mike\Cookies\mike@s.clickability[1].txt
C:\Documents and Settings\Mike\Cookies\mike@screensavers[2].txt
C:\Documents and Settings\Mike\Cookies\mike@serving-sys[2].txt
C:\Documents and Settings\Mike\Cookies\mike@serving.rpowermedia[1].txt
C:\Documents and Settings\Mike\Cookies\mike@sevenloadgmbh.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@sextracker[2].txt
C:\Documents and Settings\Mike\Cookies\mike@smartmoney.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@smileycentral[1].txt
C:\Documents and Settings\Mike\Cookies\mike@specificclick[2].txt
C:\Documents and Settings\Mike\Cookies\mike@sportsad.adbureau[1].txt
C:\Documents and Settings\Mike\Cookies\mike@spylog[2].txt
C:\Documents and Settings\Mike\Cookies\mike@stat.dealtime[1].txt
C:\Documents and Settings\Mike\Cookies\mike@statcounter[2].txt
C:\Documents and Settings\Mike\Cookies\mike@stats.fullpond[2].txt
C:\Documents and Settings\Mike\Cookies\mike@stats.manticoretechnology[1].txt
C:\Documents and Settings\Mike\Cookies\mike@stats2.clicktracks[2].txt
C:\Documents and Settings\Mike\Cookies\mike@statse.webtrendslive[2].txt
C:\Documents and Settings\Mike\Cookies\mike@superstats[1].txt
C:\Documents and Settings\Mike\Cookies\mike@tacoda[2].txt
C:\Documents and Settings\Mike\Cookies\mike@tradedoubler[2].txt
C:\Documents and Settings\Mike\Cookies\mike@trafficmp[2].txt
C:\Documents and Settings\Mike\Cookies\mike@tremor.adbureau[2].txt
C:\Documents and Settings\Mike\Cookies\mike@tribalfusion[2].txt
C:\Documents and Settings\Mike\Cookies\mike@trinitymirror.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@tripod[1].txt
C:\Documents and Settings\Mike\Cookies\mike@try.screensavers[1].txt
C:\Documents and Settings\Mike\Cookies\mike@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@v7.stats.load[2].txt
C:\Documents and Settings\Mike\Cookies\mike@valueclick[2].txt
C:\Documents and Settings\Mike\Cookies\mike@wpni.112.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.addfreestats[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.burstbeacon[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.burstnet[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.claxonmedia[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.clickmanage[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.googleadservices[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.googleadservices[4].txt
C:\Documents and Settings\Mike\Cookies\mike@www.herfirstlesbiansex[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.herfirstlesbiansex[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.herfirstlesbiansex[3].txt
C:\Documents and Settings\Mike\Cookies\mike@www.hotbargainproperties[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.lesbianteenies[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.orgysexparties[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.orgysexparties[3].txt
C:\Documents and Settings\Mike\Cookies\mike@www.strengthsexplorer[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www7.addfreestats[1].txt
C:\Documents and Settings\Mike\Cookies\mike@xiti[1].txt
C:\Documents and Settings\Mike\Cookies\mike@xxxcounter[1].txt
C:\Documents and Settings\Mike\Cookies\mike@yadro[2].txt
C:\Documents and Settings\Mike\Cookies\mike@youporn[1].txt
C:\Documents and Settings\Mike\Cookies\mike@youporn[2].txt
C:\Documents and Settings\Mike\Cookies\mike@z1.adserver[1].txt
C:\Documents and Settings\Mike\Cookies\mike@zedo[2].txt
C:\Documents and Settings\Mike\Cookies\mike@zillow.adbureau[1].txt

Malware.LocusSoftware Inc/SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#ProductCode
HKLM\Software\SpyGuardPro#InstallDate
C:\Program Files\SpyGuardPro

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE.VIR

MyWay Search Assistant Computers
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP406\A0066362.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP411\A0068088.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP411\A0068089.DLL

#12 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 16 November 2007 - 05:42 PM

KASPERSKY ONLINE SCANNER REPORT
Friday, November 16, 2007 4:40:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/11/2007
Kaspersky Anti-Virus database records: 460557
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 99251
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 03:31:02

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c7d47dd8b983a10be23a759799701bb_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-16_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D0568860.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Lissa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Lissa\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\History\History.IE5\MSHist012007111620071117\index.dat Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Lissa\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lissa\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lissa\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_124.trc Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\LogFiles\ReportServerService__11_16_2007_12_43_22.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\LogFiles\ReportServerService__main_11_16_2007_12_42_43.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\ServerStandardError.txt Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\ServerStandardOutput.txt Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\smsdata\database\smsDBv3.odb Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\smsdata\database\smsDBv3.odf Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\smsdata\database\smsDBv3.odt Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\stderr.txt Object is locked skipped
C:\Program Files\Rosetta Stone\SMS v3.0hs\stdout.txt Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kqfgxuwg.dll.vir Infected: Trojan.Win32.BHO.re skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP406\A0066393.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP406\A0066393.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP406\A0066393.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP406\A0066403.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP413\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\4084 Object is locked skipped
C:\WINDOWS\Temp\JETEE6F.tmp Object is locked skipped
C:\WINDOWS\Temp\JETF1AB.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1c8.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_938.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

#13 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 16 November 2007 - 05:44 PM

OK. Here's the newest HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:54 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZinw12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193022506875
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://secure4.mergeapps.com/OASISTEST/Res...OpType=PrintCab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMSv3hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11344 bytes

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 20 November 2007 - 11:34 PM

Apologies again for the long delay.

You system appears to be clear of any active malware. Just a few leftover folders and that one file we'll just have to check out online.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\lmsxml3a.dl

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Delete these folders that are known to be bad:

C:\Program Files\SpyGuardPro
C:\WINDOWS\system32\Mz08r
C:\TEMP\mZOr

Please post back with the jotti scan results and a fresh HijackThis log and let me know how the system is running now.

The thing about people

is they change

when they walk away.--Mipso


#15 LissM

LissM
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:03:11 PM

Posted 23 November 2007 - 05:58 PM

Jotti Results:

File: msxml3a.dll
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 718d1c9346a991ee101f2dfa72a50d70
Packers detected:
-
Bit9 reports: No threat detected (more info)

Scan taken on 23 Nov 2007 22:55:01 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

HJT log to follow.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users