Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Massive Infections?


  • Please log in to reply
5 replies to this topic

#1 safeandnontoxic

safeandnontoxic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:los angeles
  • Local time:12:51 PM

Posted 03 December 2007 - 02:58 AM

Every time i open a new web page, be it in IE or FireFox, an IE popup opens with ads ranging from Ebay ads, to steak delivery, money giveaway offers, to ringtones, etc.

help please? several antispyware/virus programs used

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:26 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\svchost.exe
C:\windows\Fonts\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Desktop\HiJackThis.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Host Process] C:\windows\Fonts\svchost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148335837000
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

--
End of file - 4086 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 03 December 2007 - 02:37 PM

Hello safeandnontoxic,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 safeandnontoxic

safeandnontoxic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:los angeles
  • Local time:12:51 PM

Posted 05 December 2007 - 01:29 AM

Seems to be alot of porn if that has anything to do with it, got the computer about a month ago from my cousin. also posting HJT log

ComboFix 07-12-02.7 - Owner 2007-12-03 22:02:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT -8:00]
Running from: C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WindowsUpdate\qusozycu4444.dll
C:\Program Files\WindowsUpdate\qusozycu83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\windows\b122.exe
C:\WINDOWS\Fonts\svchost.exe
C:\windows\mrofinu1000106.exe
C:\windows\mrofinu1188.exe
C:\WINDOWS\system32\jtvwphts.ini
C:\windows\system32\pac.txt
C:\WINDOWS\system32\prutv.ini
C:\WINDOWS\system32\prutv.ini2
C:\windows\system32\sthpwvtj.dll
C:\windows\system32\vturp.dll
C:\windows\tk58.exe
C:\windows\TTC-4444.exe
C:\winlogon.exe
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE


((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 19:29 . 2007-12-03 19:29 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-02 20:05 . 2007-12-02 20:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-02 20:02 . 2007-12-02 20:02 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-12-02 20:02 . 2007-12-02 20:02 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-12-02 20:02 . 2007-12-02 20:02 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-12-02 20:02 . 2007-12-02 20:02 134 --a------ C:\n.bat
2007-12-02 20:01 . 2007-12-02 20:01 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-12-02 20:01 . 2007-12-02 20:02 <DIR> d-------- C:\Temp\bkR11
2007-12-02 20:01 . 2007-12-03 22:09 <DIR> d-------- C:\Temp
2007-12-02 20:01 . 2007-12-02 20:01 37,376 --a------ C:\WINDOWS\system32\urqrspn.dll
2007-11-28 16:51 . 2007-11-28 16:51 <DIR> d-------- C:\Program Files\Digital Satin Productions
2007-11-17 17:43 . 2007-11-17 17:44 <DIR> d-------- C:\Program Files\Ring Factory
2007-11-17 17:43 . 2007-11-17 17:43 3,120 --a------ C:\WINDOWS\system32\AEAG3WCU.ocx
2007-11-17 17:43 . 2007-11-17 17:43 3,120 --a------ C:\WINDOWS\DTHKDHJV.ocx
2007-11-11 18:29 . 2007-11-11 18:29 <DIR> d-------- C:\Program Files\Microsoft Encarta
2007-11-11 18:27 . 2007-11-11 18:28 <DIR> d-------- C:\Program Files\Microsoft Streets & Trips
2007-11-11 18:21 . 2007-11-11 18:21 376 --a------ C:\WINDOWS\ODBC.INI
2007-11-11 18:20 . 2007-11-11 18:20 <DIR> d-------- C:\WINDOWS\ShellNew
2007-11-11 18:20 . 2007-11-11 18:20 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-11 18:14 . 2007-11-11 18:14 <DIR> d-------- C:\Program Files\Microsoft Works Suite 2003
2007-11-11 16:08 . 2007-11-11 16:08 4 --a------ C:\timestmp.tmp
2007-11-11 16:07 . 2001-08-17 22:36 462,848 --a--c--- C:\WINDOWS\system32\dllcache\a3dapi.dll
2007-11-11 16:07 . 2001-08-17 22:36 462,848 --a------ C:\WINDOWS\system32\a3dapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 05:26 118,342 ----a-w C:\windows\Fonts\x.zip
2007-12-04 05:26 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\LimeWire
2007-12-04 03:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-12-03 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-03 02:57 --------- d-----w C:\Program Files\Soulseek-Test
2007-11-12 02:27 --------- d-----w C:\Program Files\Microsoft Money
2007-11-12 02:22 --------- d-----w C:\Program Files\Microsoft Works
2007-11-06 06:32 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\Yahoo!
2007-11-06 06:30 --------- d-----w C:\Program Files\Yahoo!
2007-11-05 04:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2007-10-25 18:34 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\IMVU
2007-10-23 07:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 07:59 --------- d-----w C:\Program Files\MARS
2007-10-20 08:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PopCap
2007-10-11 05:00 --------- d-----w C:\Program Files\AOL 9.0
2007-10-11 04:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-11 04:59 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\AOL
2007-10-11 04:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2007-10-11 04:58 --------- d-----w C:\Program Files\Common Files\aolshare
2007-10-11 04:57 209,436 ----a-w C:\windows\aolunins_us.exe
2007-10-11 04:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads
2007-10-10 05:02 --------- d-----w C:\Program Files\America Online 8.0
2007-01-10 20:15 290,820 ----a-w C:\windows\Fonts\Setup.exe
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Goda.bmp.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\God Put A Smile Upon Your Face.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\God must be busy.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\God is a girl.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go mpg must on queen show the.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\GO ME BENT.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go leafs.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go home dub alley mp3.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\GO HARD OR GO HOME.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go Go band.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go girl.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\GO GIRL.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go for a soda.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go dj album.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Go crazy remix - young jeezy.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Glykeria.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Glow angel.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gloria jewel.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gloria gaynor i will survive mp 3.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Global Deejays Rozalla Everybody's Free.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Global california dreaming.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Glenn Jones Together.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Glass hammer.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gladiator xxx.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Giving middle finger.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give thanks.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give one more chance.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give my love to you.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give my love away.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give me that gusha.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give me pink.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give me pink zafira.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give me more.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give me man this christmas.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Give love at christmas.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls that go.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls of summer.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls of maxim.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls night out4.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls night out pics.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls night out avi.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls next door.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls mind.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls kiss girls.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls gone wild.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls gone wild uncut nasty version mpg.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls Gone Wild Sex.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls gone wild ggw.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls Gone Wild Baby.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls bleeping.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls doing bad things mov.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls and the sea.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girls aloud.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girlfriend bleeped.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girlfriend always forever.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girlfriend- bow wow.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl tried to kill me ice t.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl tonight trey songz twista.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl tied nude sex porn xxx.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl riding.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl power 2.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl nude beach.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl next door soundtrack spin.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl he geeked up.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl gives dog blow job.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl get your money.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl full katie length college.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl for me.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Girl 19 Yr Old Sucks.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Giochi pc ita.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Ginuwine The Life.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Ginuwine - it's real.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gino soccio.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gina wild.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gina Wild porno.zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gina wild girls gone totally .zip
2007-01-10 20:15 118,343 ----a-w C:\windows\Fonts\-\Gina Wild 1 -Ficken ohne Ende.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B46C8C0-C711-42E5-9609-928DC9BA80D4}]
2007-12-04 07:51 331360 --a------ C:\windows\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-12-02 20:01 37376 --a------ C:\windows\system32\urqrspn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 15:13]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-17 22:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-04-24 07:05]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\windows\system32\urqrspn.dll [2007-12-02 20:01 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrspn]
urqrspn.dll 2007-12-02 20:01 37376 C:\WINDOWS\system32\urqrspn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\windows\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.OWNER-4E3ED9A2A^Start Menu^Programs^Startup^America Online 5.0 Tray Icon.lnk]
path=C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Start Menu\Programs\Startup\America Online 5.0 Tray Icon.lnk
backup=C:\windows\pss\America Online 5.0 Tray Icon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\aim\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amendrawbodyaudio]
C:\Documents and Settings\All Users.WINDOWS\Application Data\thunk move amen draw\does new.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\AOL 9.0\AOL.EXE -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 16:42 79448 --a------ C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 04:50 71216 -ra------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Grammulti]
C:\DOCUME~1\OWNER~1.OWN\APPLIC~1\EXITMP~1\SOFTHOLD32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148284972\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\windows\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2005-05-31 01:04 1415824 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\valve\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 03:23 75520 --a------ C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-26 15:13 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-03-28 14:10 224248 --a------ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ewido security suite control"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

R1 ewido security suite driver;ewido security suite driver;\??\C:\Program Files\ewido anti-malware\guard.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\windows\system32\DRIVERS\mr97310c.sys
S3 SNDP610;Dual Mode Camera;C:\windows\system32\DRIVERS\sndp610.sys

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 09:51:00 C:\windows\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 07:47:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 7:53:49 - machine was rebooted
.
--- E O F ---




HJT LOG



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:00 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\1192078628\ee\aolsoftware.exe
C:\windows\System32\svchost.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\windows\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\windows\system32\msiexec.exe
C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148335837000
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

--
End of file - 4522 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 05 December 2007 - 06:18 PM

Hello,


* Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply, please.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\windows\system32\awtsr.dll
C:\windows\system32\urqrspn.dll
C:\windows\mrofinu1000106.exe

Folder::
C:\windows\Fonts
C:\Program Files\WinAble


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 safeandnontoxic

safeandnontoxic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:los angeles
  • Local time:12:51 PM

Posted 07 December 2007 - 12:22 AM

I seem to have lost all my fonts in with that last step, should i just reinstall Microsoft Word after all this is cleared up?

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

MP Scheduled Scan.job
--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 18AE-E616

Directory of C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data

09/11/2007 09:38 PM <DIR> .
09/11/2007 09:38 PM <DIR> ..
06/13/2006 09:28 PM <DIR> Adobe
06/04/2006 10:39 PM <DIR> Aim
10/10/2007 08:59 PM <DIR> AOL
05/21/2006 08:33 PM <DIR> AVG7
07/10/2007 12:48 PM <DIR> DivX
07/17/2007 01:38 PM <DIR> Google
05/24/2006 03:28 PM <DIR> Help
05/21/2006 08:14 PM <DIR> IDENTI~1 Identities
10/25/2007 10:34 AM <DIR> IMVU
06/13/2006 09:28 PM <DIR> INTERT~1 InterTrust
12/03/2007 09:26 PM <DIR> LimeWire
04/30/2006 12:30 AM <DIR> MACROM~1 Macromedia
11/11/2007 06:38 PM <DIR> MICROS~1 Microsoft
10/10/2007 08:54 PM <DIR> Mozilla
05/22/2006 10:14 PM <DIR> MSNINS~1 MSNInstaller
05/02/2007 06:51 PM <DIR> Real
09/11/2007 09:38 PM <DIR> SECOND~1 SecondLife
07/24/2007 10:40 PM <DIR> SMARTD~1 SmartDraw
03/04/2007 12:18 AM <DIR> Sun
12/25/2006 10:11 PM <DIR> TORREN~1 Torrent101
02/08/2007 07:15 PM <DIR> VIEWPO~1 Viewpoint
11/05/2007 10:32 PM <DIR> Yahoo!
05/22/2006 12:04 AM <DIR> YOU'VE~1 You've Got Pictures Screensaver
0 File(s) 0 bytes
25 Dir(s) 20,944,506,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 18AE-E616

Directory of C:\Documents and Settings\All Users.WINDOWS\Application Data

11/04/2007 08:57 PM <DIR> .
11/04/2007 08:57 PM <DIR> ..
11/14/2006 11:52 PM <DIR> Adobe
10/10/2007 08:59 PM <DIR> AOL
10/10/2007 08:54 PM <DIR> AOLDOW~1 AOL Downloads
12/03/2007 07:55 PM <DIR> avg7
05/22/2006 06:21 PM <DIR> Google
05/21/2006 08:33 PM <DIR> Grisoft
10/10/2007 08:59 PM <DIR> MACROM~1 Macromedia
05/21/2006 10:55 PM <DIR> McAfee
12/03/2007 07:29 PM <DIR> MICROS~1 Microsoft
10/20/2007 12:45 AM <DIR> PopCap
05/22/2006 12:03 AM <DIR> PURENE~1 Pure Networks
06/01/2006 09:56 PM <DIR> QUICKT~1 QuickTime
12/26/2006 05:32 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
08/09/2006 10:40 PM <DIR> Trymedia
12/27/2006 03:52 PM <DIR> VIEWPO~1 Viewpoint
06/28/2006 07:17 AM <DIR> WINDOW~1 Windows Genuine Advantage
11/04/2007 08:54 PM <DIR> yahoo!
0 File(s) 0 bytes
19 Dir(s) 20,944,506,880 bytes free
--------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:29 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\windows\System32\svchost.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148335837000
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: urqrspn - urqrspn.dll (file missing)

--
End of file - 5225 bytes



combofix log to long to post, will post alone in next log

#6 safeandnontoxic

safeandnontoxic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:los angeles
  • Local time:12:51 PM

Posted 07 December 2007 - 12:47 AM

Combofix Log


ComboFix 07-12-02.7 - Owner 2007-12-05 20:41:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -8:00]
Running from: C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\windows\mrofinu1000106.exe
C:\windows\system32\awtsr.dll
C:\windows\system32\urqrspn.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.
2007-12-05 23:47 . 2007-12-05 23:47 <DIR> d-------- C:\WINDOWS\fonts
2007-12-03 19:29 . 2007-12-03 19:29 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-02 20:05 . 2007-12-02 20:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-02 20:02 . 2007-12-02 20:02 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-12-02 20:02 . 2007-12-02 20:02 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-12-02 20:02 . 2007-12-02 20:02 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-12-02 20:02 . 2007-12-02 20:02 134 --a------ C:\n.bat
2007-12-02 20:01 . 2007-12-02 20:01 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-12-02 20:01 . 2007-12-02 20:02 <DIR> d-------- C:\Temp\bkR11
2007-12-02 20:01 . 2007-12-03 22:09 <DIR> d-------- C:\Temp
2007-11-28 16:51 . 2007-11-28 16:51 <DIR> d-------- C:\Program Files\Digital Satin Productions
2007-11-17 17:43 . 2007-11-17 17:44 <DIR> d-------- C:\Program Files\Ring Factory
2007-11-17 17:43 . 2007-11-17 17:43 3,120 --a------ C:\WINDOWS\system32\AEAG3WCU.ocx
2007-11-17 17:43 . 2007-11-17 17:43 3,120 --a------ C:\WINDOWS\DTHKDHJV.ocx
2007-11-11 18:29 . 2007-11-11 18:29 <DIR> d-------- C:\Program Files\Microsoft Encarta
2007-11-11 18:27 . 2007-11-11 18:28 <DIR> d-------- C:\Program Files\Microsoft Streets & Trips
2007-11-11 18:21 . 2007-11-11 18:21 376 --a------ C:\WINDOWS\ODBC.INI
2007-11-11 18:20 . 2007-11-11 18:20 <DIR> d-------- C:\WINDOWS\ShellNew
2007-11-11 18:20 . 2007-11-11 18:20 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-11 18:14 . 2007-11-11 18:14 <DIR> d-------- C:\Program Files\Microsoft Works Suite 2003
2007-11-11 16:08 . 2007-11-11 16:08 4 --a------ C:\timestmp.tmp
2007-11-11 16:07 . 2001-08-17 22:36 462,848 --a--c--- C:\WINDOWS\system32\dllcache\a3dapi.dll
2007-11-11 16:07 . 2001-08-17 22:36 462,848 --a------ C:\WINDOWS\system32\a3dapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 05:26 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\LimeWire
2007-12-04 03:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-12-03 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-03 02:57 --------- d-----w C:\Program Files\Soulseek-Test
2007-11-12 02:27 --------- d-----w C:\Program Files\Microsoft Money
2007-11-12 02:22 --------- d-----w C:\Program Files\Microsoft Works
2007-11-06 06:32 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\Yahoo!
2007-11-06 06:30 --------- d-----w C:\Program Files\Yahoo!
2007-11-05 04:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2007-10-25 18:34 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\IMVU
2007-10-23 07:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 07:59 --------- d-----w C:\Program Files\MARS
2007-10-20 08:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PopCap
2007-10-11 05:00 --------- d-----w C:\Program Files\AOL 9.0
2007-10-11 04:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-11 04:59 --------- d-----w C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Application Data\AOL
2007-10-11 04:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2007-10-11 04:58 --------- d-----w C:\Program Files\Common Files\aolshare
2007-10-11 04:57 209,436 ----a-w C:\windows\aolunins_us.exe
2007-10-11 04:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads
2007-10-10 05:02 --------- d-----w C:\Program Files\America Online 8.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 15:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-04-24 07:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrspn]
urqrspn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.OWNER-4E3ED9A2A^Start Menu^Programs^Startup^America Online 5.0 Tray Icon.lnk]
path=C:\Documents and Settings\Owner.OWNER-4E3ED9A2A\Start Menu\Programs\Startup\America Online 5.0 Tray Icon.lnk
backup=C:\windows\pss\America Online 5.0 Tray Icon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\aim\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amendrawbodyaudio]
C:\Documents and Settings\All Users.WINDOWS\Application Data\thunk move amen draw\does new.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\AOL 9.0\AOL.EXE -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 16:42 79448 --a------ C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 04:50 71216 -ra------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Grammulti]
C:\DOCUME~1\OWNER~1.OWN\APPLIC~1\EXITMP~1\SOFTHOLD32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148284972\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\windows\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2005-05-31 01:04 1415824 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\valve\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 03:23 75520 --a------ C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-26 15:13 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-03-28 14:10 224248 --a------ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ewido security suite control"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

R1 ewido security suite driver;ewido security suite driver;\??\C:\Program Files\ewido anti-malware\guard.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\windows\system32\DRIVERS\mr97310c.sys
S3 SNDP610;Dual Mode Camera;C:\windows\system32\DRIVERS\sndp610.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 07:51:06 C:\windows\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 00:03:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 0:09:02 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 07:53
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users