Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Alert: Trojan-spyware.win32@mx


  • Please log in to reply
10 replies to this topic

#1 Vita

Vita

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 24 November 2007 - 10:42 PM

Have run all your recommended programs. As well as Spyware doctor, Xoftspy, AVG, Nod32.
Following is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:29 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wdlalcvj.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{724EC7E7-A59D-4B9D-B3DB-193549CC3C09}: NameServer = 202.27.158.40,202.27.156.72
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5365 bytes

BC AdBot (Login to Remove)

 


#2 Vita

Vita
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 27 November 2007 - 06:54 AM

I'm not meaning to bump this thread, but iv been doing a bit of research into this line from the HJT log.

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab

after reading this report http://www.benedelman.org/spyware/180-affiliates/ I have discovered that this is most likely the reason I am getting these pop ups, as it describes the sort of activity that is happening.
Can one of the experts advise if I would be correct, and also how to go about removing this filth.

I stand at the ready for your much appreciated info, and have the donation button at the ready!.

#3 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 29 November 2007 - 04:22 PM

Vita

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#4 Vita

Vita
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 01 December 2007 - 07:10 PM

ComboFix 07-12-02.5 - Owner 2007-12-02 12:51:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT 13:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\fhhkj.ini2
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\mbjtpiwq.dll
C:\WINDOWS\system32\npwgcain.dll
C:\WINDOWS\system32\opnlmlk.dll
C:\WINDOWS\system32\wdlalcvj.dllbox
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-11-27 14:11 . 2007-11-29 14:08 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-26 13:10 . 2007-11-26 13:06 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-26 13:10 . 2007-11-26 13:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-26 13:10 . 2007-11-26 13:06 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-25 16:39 . 2007-11-25 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:38 . 2007-11-25 13:39 714,581 --ahs---- C:\WINDOWS\system32\jiidinwq.ini
2007-11-22 21:18 . 2007-11-25 13:30 1,604 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 21:17 . 2007-11-25 13:32 <DIR> d-------- C:\New Folder
2007-11-22 20:58 . 2007-11-22 20:59 973,459 --a------ C:\SmitfraudFix.zip
2007-11-22 16:02 . 2007-11-22 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-22 12:38 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-22 12:33 . 2007-11-25 13:38 776,072 --ahs---- C:\WINDOWS\system32\gckcpaaj.ini
2007-11-22 11:07 . 2007-11-26 15:57 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-20 05:55 . 2007-11-22 10:18 689,531 --ahs---- C:\WINDOWS\system32\ktpbegus.ini
2007-11-20 05:47 . 2007-11-20 05:47 0 --a------ C:\Documents and Settings\Owner\x.dat
2007-11-20 05:46 . 2007-11-20 05:46 4,914 --a------ C:\Documents and Settings\Owner\z.dat
2007-11-19 17:09 . 2007-11-19 17:09 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-19 17:08 . 2007-11-19 17:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar
2007-11-18 09:36 . 2007-11-19 22:02 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-17 18:26 . 2007-11-22 10:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-17 18:26 . 2007-11-22 10:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-17 18:10 . 2007-11-19 21:48 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-17 18:09 . 2007-11-22 12:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-17 10:45 . 2007-11-17 10:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ohana Games
2007-11-15 21:50 . 2007-01-20 01:11 40,960 --a------ C:\WINDOWS\system32\Fish Tycoon.scr
2007-11-14 11:33 . 2007-11-15 21:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GameHouse
2007-11-14 11:33 . 2007-11-19 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-11-11 12:43 . 2007-11-11 12:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 23:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-17 20:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-03 20:16 --------- d-----w C:\Program Files\Google
2007-10-30 02:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-10-29 05:02 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2007-10-27 08:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sandlot Games
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-18 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Jane s Hotel
2007-10-12 22:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 22:52 --------- d-----w C:\Program Files\MyFree Codec
2007-10-12 22:48 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-10-12 22:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\DataCast
2007-10-12 22:46 --------- d-----w C:\Program Files\Samsung
2007-10-12 22:46 --------- d-----w C:\Program Files\MarkAny
2007-10-12 22:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2007-02-19 02:34 310 -c--a-w C:\Documents and Settings\Owner\Application Data\bbbconfig.dat
2005-10-19 08:01 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 14:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-26 13:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-26 04:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 13:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wdlalcvj]
wdlalcvj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 12:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4140064]
rundll32.exe C:\WINDOWS\system32\sugebptk.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 11:56 15360 --a--c--- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\system32\gzmrotate.dll DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
C:\DOCUME~1\Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install
[1].exe -startup -product IncrediMail

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
2007-01-30 20:36 57344 --a------ C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDNS]
C:\WINDOWS\system32\service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
1998-12-10 13:33 23040 --a------ C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-09-20 08:23 132624 --a------ C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soltek]
C:\WINDOWS\system32\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 05:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-14 14:39 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R3 Intels51;XH1154 DSE Modem 56K - PCI Int HaM V2;C:\WINDOWS\system32\DRIVERS\Intels51.sys
S3 SFC4;SFC4;C:\WINDOWS\system32\drivers\SFC4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b659d588-301e-11da-9b7e-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.EXE

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 13:04:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 13:06:45 - machine was rebooted
.
--- E O F ---

#5 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 02 December 2007 - 03:31 PM

Vita

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\jiidinwq.ini
C:\WINDOWS\system32\gckcpaaj.ini
C:\WINDOWS\system32\ktpbegus.ini
C:\Documents and Settings\Owner\x.dat
C:\Documents and Settings\Owner\z.dat
C:\WINDOWS\system32\sugebptk.dll
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe

Folder::
C:\Program Files\WinAble

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wdlalcvj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4140064]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDNS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#6 Vita

Vita
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 02 December 2007 - 04:43 PM

Hey Bamajim
Here is the new log.
I appreciate your time looking into this, LEGEND!

Cory

ComboFix 07-12-02.5 - Owner 2007-12-03 10:35:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.73 [GMT 13:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-11-27 14:11 . 2007-11-29 14:08 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-26 13:10 . 2007-11-26 13:06 512,096 --a------

C:\WINDOWS\system32\drivers\amon.sys
2007-11-26 13:10 . 2007-11-26 13:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-26 13:10 . 2007-11-26 13:06 15,424 --a------

C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-25 16:39 . 2007-11-25 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:38 . 2007-11-25 13:39 714,581 --ahs---- C:\WINDOWS\system32\jiidinwq.ini
2007-11-22 21:18 . 2007-11-25 13:30 1,604 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 21:17 . 2007-11-25 13:32 <DIR> d-------- C:\New Folder
2007-11-22 20:58 . 2007-11-22 20:59 973,459 --a------ C:\SmitfraudFix.zip
2007-11-22 16:02 . 2007-11-22 16:02 <DIR> d-------- C:\Documents and Settings\All

Users\Application Data\Grisoft
2007-11-22 12:38 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-22 12:33 . 2007-11-25 13:38 776,072 --ahs---- C:\WINDOWS\system32\gckcpaaj.ini
2007-11-22 11:07 . 2007-11-26 15:57 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-20 05:55 . 2007-11-22 10:18 689,531 --ahs---- C:\WINDOWS\system32\ktpbegus.ini
2007-11-20 05:47 . 2007-11-20 05:47 0 --a------ C:\Documents and

Settings\Owner\x.dat
2007-11-20 05:46 . 2007-11-20 05:46 4,914 --a------ C:\Documents and

Settings\Owner\z.dat
2007-11-19 17:09 . 2007-11-19 17:09 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-19 17:08 . 2007-11-19 17:22 <DIR> d-------- C:\Documents and

Settings\Owner\Application Data\Adssite Advanced Toolbar
2007-11-18 09:36 . 2007-11-19 22:02 <DIR> d-------- C:\Documents and

Settings\Owner\Incomplete
2007-11-17 18:26 . 2007-11-22 10:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-17 18:26 . 2007-11-22 10:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-17 18:10 . 2007-11-19 21:48 <DIR> d-------- C:\Documents and

Settings\Owner\Shared
2007-11-17 18:09 . 2007-11-22 12:31 <DIR> d-------- C:\Documents and

Settings\Owner\Application Data\LimeWire
2007-11-17 10:45 . 2007-11-17 10:45 <DIR> d-------- C:\Documents and

Settings\Owner\Application Data\Ohana Games
2007-11-15 21:50 . 2007-01-20 01:11 40,960 --a------ C:\WINDOWS\system32\Fish

Tycoon.scr
2007-11-14 11:33 . 2007-11-15 21:50 <DIR> d-------- C:\Documents and

Settings\Owner\Application Data\GameHouse
2007-11-14 11:33 . 2007-11-19 09:12 <DIR> d-------- C:\Documents and Settings\All

Users\Application Data\n7-89-o9-3r-4t-r9
2007-11-11 12:43 . 2007-11-11 12:43 <DIR> d-------- C:\Documents and

Settings\Owner\Application Data\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 23:26 --------- d---a-w C:\Documents and Settings\All Users\Application

Data\TEMP
2007-11-17 20:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-03 20:16 --------- d-----w C:\Program Files\Google
2007-10-30 02:47 --------- d-----w C:\Documents and Settings\Owner\Application

Data\PlayFirst
2007-10-29 05:02 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2007-10-27 08:31 --------- d-----w C:\Documents and Settings\Owner\Application

Data\Sandlot Games
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 15:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 15:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-10-18 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Jane

s Hotel
2007-10-12 22:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 22:52 --------- d-----w C:\Program Files\MyFree Codec
2007-10-12 22:48 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-10-12 22:47 --------- d-----w C:\Documents and Settings\Owner\Application

Data\DataCast
2007-10-12 22:46 --------- d-----w C:\Program Files\Samsung
2007-10-12 22:46 --------- d-----w C:\Program Files\MarkAny
2007-10-12 22:45 --------- d-----w C:\Documents and Settings\Owner\Application

Data\InstallShield
2007-09-22 02:33 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
2007-09-22 02:33 44,544 ----a-w C:\WINDOWS\system32\msxml4a.dll
2007-02-19 02:34 310 -c--a-w C:\Documents and Settings\Owner\Application

Data\bbbconfig.dat
2005-10-19 08:01 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-02_13.05.56.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-02 21:31:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper

Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14

14:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-26 13:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-26 04:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 13:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=

C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\winlogon\notify\wdlalcvj]
wdlalcvj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents

and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare

software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents

and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software

updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents

and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop

Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents

and Settings^Owner^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo

Downloader]
2007-03-09 12:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader

Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4140064]
rundll32.exe C:\WINDOWS\system32\sugebptk.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 11:56 15360 --a--c--- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop

Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

/startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
C:\WINDOWS\System32\Rundll32.exe

C:\WINDOWS\system32\gzmrotate.dll DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\ImInstaller_IncrediMail]


C:\DOCUME~1\Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install
[1].exe -startup -product IncrediMail

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
2007-01-30 20:36 57344 --a------ C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDNS]
C:\WINDOWS\system32\service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\RegisterDropHandler]
1998-12-10 13:33 23040 --a------ C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe

61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-09-20 08:23 132624 --a------ C:\Program Files\Samsung\Samsung Media Studio

5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soltek]
C:\WINDOWS\system32\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 05:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-14 14:39 68856 --a------ C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R3 Intels51;XH1154 DSE Modem 56K - PCI Int HaM

V2;C:\WINDOWS\system32\DRIVERS\Intels51.sys
S3 SFC4;SFC4;C:\WINDOWS\system32\drivers\SFC4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b659

d588-301e-11da-9b7e-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.EXE

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 10:39:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 10:40:44
C:\ComboFix2.txt ... 2007-12-02 13:06
.
--- E O F ---

#7 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 03 December 2007 - 08:58 AM

Vita

You are most welcome

That was not the result I was looking for. Let's do it this way

1. Please download the Killbox.1)Save it to the desktop
2) Rt Click->>Extract all->.Extract it to your Desktop
3) Double Click Killbox.exe to run it
4)Select "Delete on Reboot", and then select "All files".
5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\jiidinwq.ini
C:\WINDOWS\system32\gckcpaaj.ini
C:\WINDOWS\system32\ktpbegus.ini
C:\Documents and Settings\Owner\x.dat
C:\Documents and Settings\Owner\z.dat
C:\WINDOWS\system32\sugebptk.dll
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.
[/list]2. Open Notepad (Not Wordpad)
Select Edit and uncheck Wordwrap
Copy and paste the following into Notepad
(Making sure there is no space between the top of the window and the first line)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wdlalcvj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4140064]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDNS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
After you copy and paste it your cursor should be at the end of the first line
Hit Enter so your cursor is under the last lineClick File->>Save as->>type in fix.reg->>
Under "Save as type" Select "All Files"->> save it to your Desktop
Close Notepad
The fix.reg file should now appear on your Desktop (If it saved properly it will look like a stack of small blue blocks)

Rt Click and Select merge->>If prompted to Merge this Select Yes (it will appear that nothing has happened but that's o.k.)

Reboot your PC ->> Rerun Combofix and post a fresh combofix log, so I can chek the effectiveness of the fix
Posted Image
Microsoft MVP - Windows Security

#8 Vita

Vita
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 03 December 2007 - 04:15 PM

ComboFix 07-12-02.5 - Owner 2007-12-04 10:01:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.63 [GMT 13:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-11-27 14:11 . 2007-11-29 14:08 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-26 13:10 . 2007-11-26 13:06 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-26 13:10 . 2007-11-26 13:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-26 13:10 . 2007-11-26 13:06 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-25 16:39 . 2007-11-25 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 21:18 . 2007-11-25 13:30 1,604 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 21:17 . 2007-11-25 13:32 <DIR> d-------- C:\New Folder
2007-11-22 20:58 . 2007-11-22 20:59 973,459 --a------ C:\SmitfraudFix.zip
2007-11-22 16:02 . 2007-11-22 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-22 12:38 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-22 11:07 . 2007-11-26 15:57 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-19 17:09 . 2007-11-19 17:09 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-19 17:08 . 2007-11-19 17:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar
2007-11-18 09:36 . 2007-11-19 22:02 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-17 18:26 . 2007-11-22 10:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-17 18:26 . 2007-11-22 10:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-17 18:10 . 2007-11-19 21:48 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-17 18:09 . 2007-11-22 12:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-17 10:45 . 2007-11-17 10:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ohana Games
2007-11-15 21:50 . 2007-01-20 01:11 40,960 --a------ C:\WINDOWS\system32\Fish Tycoon.scr
2007-11-14 11:33 . 2007-11-15 21:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GameHouse
2007-11-14 11:33 . 2007-11-19 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-11-11 12:43 . 2007-11-11 12:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 23:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-17 20:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-03 20:16 --------- d-----w C:\Program Files\Google
2007-10-30 02:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-10-29 05:02 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2007-10-27 08:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sandlot Games
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 15:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 15:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-10-18 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Jane s Hotel
2007-10-12 22:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 22:52 --------- d-----w C:\Program Files\MyFree Codec
2007-10-12 22:48 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-10-12 22:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\DataCast
2007-10-12 22:46 --------- d-----w C:\Program Files\Samsung
2007-10-12 22:46 --------- d-----w C:\Program Files\MarkAny
2007-10-12 22:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2007-09-22 02:33 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
2007-09-22 02:33 44,544 ----a-w C:\WINDOWS\system32\msxml4a.dll
2007-02-19 02:34 310 -c--a-w C:\Documents and Settings\Owner\Application Data\bbbconfig.dat
2005-10-19 08:01 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-02_13.05.56.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-03 20:58:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 14:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-26 13:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-26 04:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 13:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 12:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 11:56 15360 --a--c--- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
C:\DOCUME~1\Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install
[1].exe -startup -product IncrediMail

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
2007-01-30 20:36 57344 --a------ C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
1998-12-10 13:33 23040 --a------ C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-09-20 08:23 132624 --a------ C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soltek]
C:\WINDOWS\system32\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 05:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-14 14:39 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R3 Intels51;XH1154 DSE Modem 56K - PCI Int HaM V2;C:\WINDOWS\system32\DRIVERS\Intels51.sys
S3 SFC4;SFC4;C:\WINDOWS\system32\drivers\SFC4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b659d588-301e-11da-9b7e-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.EXE

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 10:04:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 10:05:35
C:\ComboFix2.txt ... 2007-12-03 10:40
C:\ComboFix3.txt ... 2007-12-02 13:06
.
--- E O F ---

#9 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 03 December 2007 - 04:27 PM

Vita

Good job.

Post a fresh Hiackthis log. And in your reply give me an update on how your PC is running now.
Posted Image
Microsoft MVP - Windows Security

#10 Vita

Vita
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 03 December 2007 - 04:33 PM

Computer is running pretty good, havn't seen any pop ups for a little while, and running smoothly

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:02 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{724EC7E7-A59D-4B9D-B3DB-193549CC3C09}: NameServer = 202.27.158.40,202.27.156.72
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 5308 bytes

#11 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 05 December 2007 - 08:13 AM

Vita

Excellent, just one to clean up.

1. Rerun Hijackthis (scan only) and place checks beside the following entryO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u3.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall There is a list HEREAll of which are free
Download and install SiteHound by Firetrust for protection against malicious websites.

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users