Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups Everywhere


  • This topic is locked This topic is locked
33 replies to this topic

#1 johnksc

johnksc

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 15 December 2007 - 08:14 PM

I am getting tons of popups - I ran adaware, TrendMico Housecall, Search and Destroy, Avast --- all in safe mode. Here is my hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:27 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\spoolcv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\sdir\locop.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sdir\locop.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\windows\system32\rwwdw64d.exe
C:\WINDOWS\system32\mcntxwa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [{A1-1E-E4-4D-ZN}] C:\WINDOWS\SYSTEM32\mrdsrngj.exe CHD003
O4 - HKLM\..\Run: [{A1-1E-E4-4D-DW}] c:\windows\system32\rwwdw64d.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mcntxwa.exe CHD003
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [e44a1ee2] rundll32.exe "C:\WINDOWS\system32\qooungjy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\mcntxwa.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwdw64d.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mrdsrngj.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm492MTUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.8/ttinst.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe

--
End of file - 8383 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 16 December 2007 - 08:05 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum johnksc
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 11:04 AM

SDFix: Version 1.118

Run by Jason on Sun 12/16/2007 at 10:49 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
symavc32

Path:
\??\C:\WINDOWS\system32\drivers\symavc32.sys

symavc32 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Jason\Favorites\Online Security Guide.lnk - Deleted
C:\Documents and Settings\Jason\Favorites\Winantivirus Pro 2006 Popup-misc Popup Ads.url - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\Temp\bkR11\ftCa.log - Deleted
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\Documents and Settings\Jason\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\DOCUME~1\Jason\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\17PHolmes572.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted



Folder C:\Temp\abW9 - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\bkR11 - Removed
Folder C:\WINDOWS\system32\h2 - Removed
Folder C:\WINDOWS\system32\rMa02yy - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 10:53:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\lkceyuom.exe"="C:\\WINDOWS\\system32\\lkc"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\jlysecps.exe"="C:\\WINDOWS\\system32\\jly"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\ujpgmoyk.exe"="C:\\WINDOWS\\system32\\ujp"
"C:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe"="C:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe:*:Disabled:Skyworks Ten Pin Championship Bowling"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sun 2 Dec 2007 2,630,833 ..SH. --- "C:\WINDOWS\SYSTEM32\lbyoojmr.tmp"
Wed 12 Dec 2007 97,280 ..SHR --- "C:\WINDOWS\SYSTEM32\spoolcv.exe"
Thu 29 Nov 2007 20,810 ..SH. --- "C:\WINDOWS\SYSTEM32\zqvmdttc.dllbox"
Mon 17 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 25 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico1.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico2.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico3.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico4.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico5.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico6.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico7.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico8.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\ico9.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Kelly\Local Settings\Temp\icoA.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\ico1.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\ico2.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\ico3.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\ico4.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\ico5.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\icoB.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\icoC.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\icoD.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\icoE.tmp"
Wed 28 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Madison\Local Settings\Temp\icoF.tmp"
Sat 15 Dec 2007 5,535,061 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT3.tmp"
Sat 15 Dec 2007 170,697,558 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT1.tmp"
Sat 15 Dec 2007 11,306,977 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT4.tmp"
Sat 15 Dec 2007 15,530,519 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT2.tmp"
Mon 17 Jan 2005 4,348 ...H. --- "C:\Documents and Settings\Jason\My Documents\My Music\License Backup\drmv1key.bak"
Mon 17 Jan 2005 20 A..H. --- "C:\Documents and Settings\Jason\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 17 Jan 2005 400 A.SH. --- "C:\Documents and Settings\Jason\My Documents\My Music\License Backup\drmv2key.bak"
Fri 11 May 2007 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 11 May 2007 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 12 May 2007 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 12 May 2007 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Fri 11 May 2007 8 A..H. --- "C:\Documents and Settings\Madison\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 11 May 2007 8 A..H. --- "C:\Documents and Settings\Madison\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 11 May 2007 8 A..H. --- "C:\Documents and Settings\Madison\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 11 May 2007 8 A..H. --- "C:\Documents and Settings\Madison\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

#4 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 11:18 AM

Here is the first run of combofix- I am going to rerun it because spybot realtime protection was giving me some alerts. I have disabled that and will post the second run of combofix shortly.

ComboFix 07-12-16.3 - Jason 2007-12-16 11:07:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.146 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Jason\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Jason\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Jason\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Kelly\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Kelly\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Kelly\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Madison\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Madison\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Madison\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Madison\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Madison\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Madison\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Madison\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Madison\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Madison\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\QdrDrive
C:\temp\0b9
C:\WINDOWS\cookies.ini
C:\WINDOWS\df87173.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\system32\auabpgfm.dll
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\bceogjhj.dll
C:\WINDOWS\system32\bnneflax.dll
C:\WINDOWS\system32\c1
C:\WINDOWS\SYSTEM32\cbeeg.ini
C:\WINDOWS\SYSTEM32\cbeeg.ini2
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\daSgo02\daSgo021099.exe
C:\WINDOWS\SYSTEM32\dfhkj.ini
C:\WINDOWS\SYSTEM32\dfhkj.ini2
C:\WINDOWS\system32\dlrtdlpf.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\e1
C:\WINDOWS\system32\e1\xby1stp.exe
C:\WINDOWS\system32\efasagdg.dll
C:\WINDOWS\SYSTEM32\efhkj.ini
C:\WINDOWS\SYSTEM32\efhkj.ini2
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\SYSTEM32\ghkmp.ini
C:\WINDOWS\SYSTEM32\ghkmp.ini2
C:\WINDOWS\SYSTEM32\gjllm.ini
C:\WINDOWS\SYSTEM32\gjllm.ini2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\system32\iifcbba.dll
C:\WINDOWS\system32\iiffghi.dll
C:\WINDOWS\SYSTEM32\ilnmp.ini
C:\WINDOWS\SYSTEM32\ilnmp.ini2
C:\WINDOWS\system32\j2
C:\WINDOWS\SYSTEM32\jhjgoecb.ini
C:\WINDOWS\SYSTEM32\jjjlm.ini
C:\WINDOWS\SYSTEM32\jjjlm.ini2
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\kvfjhlsd.dll
C:\WINDOWS\system32\kwinsndq.exe
C:\WINDOWS\system32\ljjhihe.dll
C:\WINDOWS\SYSTEM32\lmllm.ini
C:\WINDOWS\SYSTEM32\lmllm.ini2
C:\WINDOWS\system32\lqmcvxuv.dll
C:\WINDOWS\system32\lrqoidpr.dll
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\maevjhbj.dll
C:\WINDOWS\system32\mcntxwa.exe
C:\WINDOWS\system32\mljhifc.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\mrwdw64j.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{6A8F3DE6-EBE0-4BEF-8AA6-DBA9686C6401}.exe
C:\WINDOWS\system32\nuiqgsem.dll
C:\WINDOWS\system32\okpicivt.dll
C:\WINDOWS\SYSTEM32\opqss.ini
C:\WINDOWS\SYSTEM32\opqss.ini2
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\qooungjy.dll
C:\WINDOWS\SYSTEM32\qqstv.ini
C:\WINDOWS\SYSTEM32\qqstv.ini2
C:\WINDOWS\SYSTEM32\qqtwa.ini
C:\WINDOWS\SYSTEM32\qqtwa.ini2
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\system32\ralgsfib.dll
C:\WINDOWS\SYSTEM32\rftgtpxw.ini
C:\WINDOWS\system32\rqrqqop.dll
C:\WINDOWS\system32\rqrrrpm.dll
C:\WINDOWS\system32\rwwdw64d.exe
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\SYSTEM32\sstwa.ini
C:\WINDOWS\SYSTEM32\sstwa.ini2
C:\WINDOWS\system32\taldvchy.dll
C:\WINDOWS\system32\uduqdywi.dll
C:\WINDOWS\system32\ufjqjsjy.dll
C:\WINDOWS\system32\ulbgxglq.dll
C:\WINDOWS\system32\umapbkdl.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\SYSTEM32\vybeg.ini
C:\WINDOWS\SYSTEM32\vybeg.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\wsvnytom.dll
C:\WINDOWS\system32\wvuvssr.dll
C:\WINDOWS\system32\wxptgtfr.dll
C:\WINDOWS\system32\xslxxwcv.dll
C:\WINDOWS\SYSTEM32\ycbeg.ini
C:\WINDOWS\SYSTEM32\ycbeg.ini2
C:\WINDOWS\SYSTEM32\yjgnuooq.ini
C:\WINDOWS\system32\zqvmdttc.dllbox
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DNSCACHEREADER
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SYMAVC32


((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-16 10:49 . 2007-12-16 10:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-16 10:38 . 2007-12-16 10:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ineWc01
2007-12-15 20:05 . 2007-12-15 20:05 145 --a------ C:\WINDOWS\wininit.ini
2007-12-15 18:59 . 2007-12-15 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-15 18:53 . 2007-12-15 18:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 18:20 . 2007-12-15 18:31 970,554 --ahs---- C:\WINDOWS\SYSTEM32\tpiixnfl.ini
2007-12-15 13:05 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-15 12:00 . 2007-12-15 12:37 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-15 11:25 . 2007-12-15 18:20 965,807 --ahs---- C:\WINDOWS\SYSTEM32\rjwensmn.ini
2007-12-13 13:33 . 2007-12-13 13:46 165,424 --a------ C:\msets.exe
2007-12-12 18:18 . 2007-12-12 19:20 753,434 --ahs---- C:\WINDOWS\SYSTEM32\kebmcaty.ini
2007-12-12 17:41 . 2007-12-13 20:14 <DIR> d-------- C:\WINDOWS\sdir
2007-12-12 17:41 . 2007-12-16 10:53 49,152 --a------ C:\msms32.exe
2007-12-12 17:40 . 2007-12-12 17:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\ineWc06
2007-12-12 17:40 . 2007-12-12 17:40 <DIR> d-------- C:\Temp\tpBe12
2007-12-12 17:40 . 2007-12-12 17:40 292,312 --a------ C:\WINDOWS\frexut5.exe
2007-12-12 17:40 . 2007-12-12 17:40 97,280 -rahs---- C:\WINDOWS\SYSTEM32\spoolcv.exe
2007-12-12 17:40 . 2007-12-12 17:40 13,824 --a------ C:\WINDOWS\plite731.exe
2007-12-12 17:40 . 2007-12-12 17:40 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-12-12 03:02 . 2007-12-12 03:02 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2007-12-11 13:52 . 2007-12-12 17:49 860,510 --ahs---- C:\WINDOWS\SYSTEM32\vbgfwxia.ini
2007-12-10 15:07 . 2007-12-11 13:51 820,682 --ahs---- C:\WINDOWS\SYSTEM32\qnftyfjm.ini
2007-12-09 15:03 . 2007-12-10 17:48 895,262 --ahs---- C:\WINDOWS\SYSTEM32\knqaxkxe.ini
2007-12-09 08:51 . 2007-12-09 08:52 808,214 --ahs---- C:\WINDOWS\SYSTEM32\ktcmvcrd.ini
2007-12-08 11:29 . 2007-12-08 11:29 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-012.ico
2007-12-08 08:50 . 2007-12-09 08:51 808,154 --ahs---- C:\WINDOWS\SYSTEM32\mcrdhjfg.ini
2007-12-07 07:49 . 2007-12-08 08:30 807,983 --ahs---- C:\WINDOWS\SYSTEM32\vbcyliel.ini
2007-12-06 21:42 . 2007-12-06 21:42 4,286 --a------ C:\WINDOWS\SYSTEM32\santa4.ico
2007-12-06 21:03 . 2007-12-06 21:03 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-011.ico
2007-12-06 21:02 . 2007-12-06 21:02 13,942 --a------ C:\WINDOWS\SYSTEM32\cruise-006.ico
2007-12-06 21:02 . 2007-12-06 21:02 9,662 --a------ C:\WINDOWS\SYSTEM32\alienware-005.ico
2007-12-06 07:37 . 2007-12-06 07:37 204,872 --a------ C:\WINDOWS\SYSTEM32\kcntsnwa.exe
2007-12-06 07:29 . 2007-12-07 07:30 807,924 --ahs---- C:\WINDOWS\SYSTEM32\sblwarpj.ini
2007-12-05 07:30 . 2007-12-05 12:47 807,528 --ahs---- C:\WINDOWS\SYSTEM32\uuhvbbtp.ini
2007-12-04 07:31 . 2007-12-04 16:08 791,896 --ahs---- C:\WINDOWS\SYSTEM32\bqrqtmnv.ini
2007-12-03 18:58 . 2007-12-03 18:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo06
2007-12-03 07:09 . 2007-12-04 07:26 794,212 --ahs---- C:\WINDOWS\SYSTEM32\mcayuiwx.ini
2007-12-02 12:58 . 2007-12-02 10:55 2,630,893 --ahs---- C:\WINDOWS\SYSTEM32\lbyoojmr.ini
2007-12-02 10:56 . 2007-12-16 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-02 10:55 . 2007-12-02 15:07 2,630,953 --ahs---- C:\WINDOWS\SYSTEM32\lbyoojmr.ini2
2007-12-02 10:04 . 2007-12-02 10:07 <DIR> d-------- C:\Program Files\Spruce
2007-12-02 10:04 . 2007-12-02 10:04 106,507 --a------ C:\WINDOWS\SYSTEM32\mrdsrngj.exe
2007-12-02 09:55 . 2007-12-02 10:55 2,630,833 --ahs---- C:\WINDOWS\SYSTEM32\lbyoojmr.tmp
2007-12-01 19:59 . 2007-12-02 06:55 2,770,786 --ahs---- C:\WINDOWS\SYSTEM32\oyuamwwn.ini
2007-11-28 16:17 . 2007-12-01 19:51 1,424,568 --ahs---- C:\WINDOWS\SYSTEM32\yeclggac.ini
2007-11-26 20:28 . 2007-11-28 16:17 780,962 --ahs---- C:\WINDOWS\SYSTEM32\kgbhdfum.ini
2007-11-16 16:28 . 2007-06-22 18:02 107,520 --a------ C:\WINDOWS\SYSTEM32\UnCasino5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 23:19 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-15 23:19 --------- d-----w C:\Program Files\Yahoo!
2007-12-12 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-08 16:57 --------- d-----w C:\Documents and Settings\Madison\Application Data\Yahoo!
2007-12-08 04:49 --------- d-----w C:\Program Files\World of Warcraft
2007-12-07 01:19 --------- d-----w C:\Documents and Settings\Jason\Application Data\Yahoo!
2007-12-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 22:08 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-06 22:08 --------- d-----w C:\Program Files\TryMedia
2007-11-04 21:49 --------- d-----w C:\Program Files\Kazaa
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB02115-BD97-402E-B412-17E59C4D19FB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB3F081E-8774-4F7F-9FAC-55E5A342C1FF}]
C:\Program Files\Internet Explorer\honewadeqC:\DOCUME~1\Madison\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2d44d72-8334-46e2-9806-d33b7edbe32d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FED51DF2-9644-4C58-9104-90244EDD6EEC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"{A1-1E-E4-4D-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-07 20:29]
"plite731"="C:\WINDOWS\plite731.exe" [2007-12-12 17:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-11-14 17:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\Madison\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-02 10:04:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvtu]
cbxuvtu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvssr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^VonageRestart.exe]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\VonageRestart.exe
backup=C:\WINDOWS\pss\VonageRestart.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kelly^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe C:\WINDOWS\system32\idrplolk.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 13:52 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2007-07-27 17:03 75128 --a------ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e44a1ee2]
rundll32.exe C:\WINDOWS\system32\rmjooybl.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe C:\WINDOWS\system32\fdsdhnrw.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
2006-11-01 19:46 30928 --a------ C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 13:16 135168 --a------ C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
C:\WINDOWS\io43mvuiw4kj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-12 06:25 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-03-12 06:25 110592 --a------ C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe /m=2 /w

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-11-14 17:33 8716288 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 04:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 21:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe C:\WINDOWS\system32\ahnsnogy.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 14:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 03:48 36975 --a------ C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{A1-1E-E4-4D-ZN}]
C:\windows\system32\mrdsrngj.exe CHD003

R2 Windows Hosts Plugin;Windows Hosts Plugin;"C:\WINDOWS\system32\spoolcv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LM.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DHGGD761-Jason).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 11:12:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 11:13:20 - machine was rebooted
.
2007-12-12 08:02:48 --- E O F ---

#5 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 11:21 AM

Here is the second combofix log:
ComboFix 07-12-16.3 - Jason 2007-12-16 11:18:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.243 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-16 10:49 . 2007-12-16 10:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-16 10:38 . 2007-12-16 10:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ineWc01
2007-12-15 20:05 . 2007-12-15 20:05 145 --a------ C:\WINDOWS\wininit.ini
2007-12-15 18:59 . 2007-12-15 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-15 18:53 . 2007-12-15 18:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 18:20 . 2007-12-15 18:31 970,554 --ahs---- C:\WINDOWS\SYSTEM32\tpiixnfl.ini
2007-12-15 13:05 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-15 12:00 . 2007-12-15 12:37 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-15 11:25 . 2007-12-15 18:20 965,807 --ahs---- C:\WINDOWS\SYSTEM32\rjwensmn.ini
2007-12-13 13:33 . 2007-12-13 13:46 165,424 --a------ C:\msets.exe
2007-12-12 18:18 . 2007-12-12 19:20 753,434 --ahs---- C:\WINDOWS\SYSTEM32\kebmcaty.ini
2007-12-12 17:41 . 2007-12-13 20:14 <DIR> d-------- C:\WINDOWS\sdir
2007-12-12 17:41 . 2007-12-16 11:12 49,152 --a------ C:\msms32.exe
2007-12-12 17:40 . 2007-12-12 17:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\ineWc06
2007-12-12 17:40 . 2007-12-12 17:40 <DIR> d-------- C:\Temp\tpBe12
2007-12-12 17:40 . 2007-12-12 17:40 292,312 --a------ C:\WINDOWS\frexut5.exe
2007-12-12 17:40 . 2007-12-12 17:40 97,280 -rahs---- C:\WINDOWS\SYSTEM32\spoolcv.exe
2007-12-12 17:40 . 2007-12-12 17:40 13,824 --a------ C:\WINDOWS\plite731.exe
2007-12-12 17:40 . 2007-12-12 17:40 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-12-12 03:02 . 2007-12-12 03:02 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2007-12-11 13:52 . 2007-12-12 17:49 860,510 --ahs---- C:\WINDOWS\SYSTEM32\vbgfwxia.ini
2007-12-10 15:07 . 2007-12-11 13:51 820,682 --ahs---- C:\WINDOWS\SYSTEM32\qnftyfjm.ini
2007-12-09 15:03 . 2007-12-10 17:48 895,262 --ahs---- C:\WINDOWS\SYSTEM32\knqaxkxe.ini
2007-12-09 08:51 . 2007-12-09 08:52 808,214 --ahs---- C:\WINDOWS\SYSTEM32\ktcmvcrd.ini
2007-12-08 11:29 . 2007-12-08 11:29 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-012.ico
2007-12-08 08:50 . 2007-12-09 08:51 808,154 --ahs---- C:\WINDOWS\SYSTEM32\mcrdhjfg.ini
2007-12-07 07:49 . 2007-12-08 08:30 807,983 --ahs---- C:\WINDOWS\SYSTEM32\vbcyliel.ini
2007-12-06 21:42 . 2007-12-06 21:42 4,286 --a------ C:\WINDOWS\SYSTEM32\santa4.ico
2007-12-06 21:03 . 2007-12-06 21:03 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-011.ico
2007-12-06 21:02 . 2007-12-06 21:02 13,942 --a------ C:\WINDOWS\SYSTEM32\cruise-006.ico
2007-12-06 21:02 . 2007-12-06 21:02 9,662 --a------ C:\WINDOWS\SYSTEM32\alienware-005.ico
2007-12-06 07:37 . 2007-12-06 07:37 204,872 --a------ C:\WINDOWS\SYSTEM32\kcntsnwa.exe
2007-12-06 07:29 . 2007-12-07 07:30 807,924 --ahs---- C:\WINDOWS\SYSTEM32\sblwarpj.ini
2007-12-05 07:30 . 2007-12-05 12:47 807,528 --ahs---- C:\WINDOWS\SYSTEM32\uuhvbbtp.ini
2007-12-04 07:31 . 2007-12-04 16:08 791,896 --ahs---- C:\WINDOWS\SYSTEM32\bqrqtmnv.ini
2007-12-03 18:58 . 2007-12-03 18:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo06
2007-12-03 07:09 . 2007-12-04 07:26 794,212 --ahs---- C:\WINDOWS\SYSTEM32\mcayuiwx.ini
2007-12-02 12:58 . 2007-12-02 10:55 2,630,893 --ahs---- C:\WINDOWS\SYSTEM32\lbyoojmr.ini
2007-12-02 10:56 . 2007-12-16 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-02 10:55 . 2007-12-02 15:07 2,630,953 --ahs---- C:\WINDOWS\SYSTEM32\lbyoojmr.ini2
2007-12-02 10:04 . 2007-12-02 10:07 <DIR> d-------- C:\Program Files\Spruce
2007-12-02 10:04 . 2007-12-02 10:04 106,507 --a------ C:\WINDOWS\SYSTEM32\mrdsrngj.exe
2007-12-02 09:55 . 2007-12-02 10:55 2,630,833 --ahs---- C:\WINDOWS\SYSTEM32\lbyoojmr.tmp
2007-12-01 19:59 . 2007-12-02 06:55 2,770,786 --ahs---- C:\WINDOWS\SYSTEM32\oyuamwwn.ini
2007-11-28 16:17 . 2007-12-01 19:51 1,424,568 --ahs---- C:\WINDOWS\SYSTEM32\yeclggac.ini
2007-11-26 20:28 . 2007-11-28 16:17 780,962 --ahs---- C:\WINDOWS\SYSTEM32\kgbhdfum.ini
2007-11-16 16:28 . 2007-06-22 18:02 107,520 --a------ C:\WINDOWS\SYSTEM32\UnCasino5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 23:19 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-15 23:19 --------- d-----w C:\Program Files\Yahoo!
2007-12-12 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-08 16:57 --------- d-----w C:\Documents and Settings\Madison\Application Data\Yahoo!
2007-12-08 04:49 --------- d-----w C:\Program Files\World of Warcraft
2007-12-07 01:19 --------- d-----w C:\Documents and Settings\Jason\Application Data\Yahoo!
2007-12-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 22:08 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-06 22:08 --------- d-----w C:\Program Files\TryMedia
2007-11-04 21:49 --------- d-----w C:\Program Files\Kazaa
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-16_11.12.38.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-16 15:53:41 48,128 ----a-w C:\WINDOWS\sdir\helper.exe
+ 2007-12-16 16:12:32 48,128 ----a-w C:\WINDOWS\sdir\helper.exe
- 2007-12-16 15:53:41 60,416 ----a-w C:\WINDOWS\sdir\locop.exe
+ 2007-12-16 16:12:33 60,416 ----a-w C:\WINDOWS\sdir\locop.exe
- 2007-12-16 15:53:41 5,488 ----a-w C:\WINDOWS\sdir\run.exe
+ 2007-12-16 16:12:35 5,488 ----a-w C:\WINDOWS\sdir\run.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB3F081E-8774-4F7F-9FAC-55E5A342C1FF}]
C:\Program Files\Internet Explorer\honewadeqC:\DOCUME~1\Madison\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"{A1-1E-E4-4D-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-07 20:29]
"plite731"="C:\WINDOWS\plite731.exe" [2007-12-12 17:40]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-11-14 17:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\Madison\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-02 10:04:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvtu]
cbxuvtu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^VonageRestart.exe]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\VonageRestart.exe
backup=C:\WINDOWS\pss\VonageRestart.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kelly^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe C:\WINDOWS\system32\idrplolk.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 13:52 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2007-07-27 17:03 75128 --a------ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e44a1ee2]
rundll32.exe C:\WINDOWS\system32\rmjooybl.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe C:\WINDOWS\system32\fdsdhnrw.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
2006-11-01 19:46 30928 --a------ C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 13:16 135168 --a------ C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
C:\WINDOWS\io43mvuiw4kj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-12 06:25 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-03-12 06:25 110592 --a------ C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe /m=2 /w

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-11-14 17:33 8716288 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 04:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 21:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe C:\WINDOWS\system32\ahnsnogy.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 14:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 03:48 36975 --a------ C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{A1-1E-E4-4D-ZN}]
C:\windows\system32\mrdsrngj.exe CHD003

R2 Windows Hosts Plugin;Windows Hosts Plugin;"C:\WINDOWS\system32\spoolcv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LM.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DHGGD761-Jason).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 11:20:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 11:20:53
C:\ComboFix2.txt ... 2007-12-16 11:13
.
2007-12-12 08:02:48 --- E O F ---

#6 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 11:23 AM

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:50 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\spoolcv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\sdir\locop.exe
C:\WINDOWS\sdir\locop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {DB3F081E-8774-4F7F-9FAC-55E5A342C1FF} - C:\Program Files\Internet Explorer\honewadeqC:\DOCUME~1\Madison\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [{A1-1E-E4-4D-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZCxdm492MTUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.8/ttinst.cab
O20 - Winlogon Notify: cbxuvtu - cbxuvtu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe

--
End of file - 8107 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 16 December 2007 - 11:48 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\msets.exe
C:\msms32.exe
C:\WINDOWS\frexut5.exe
C:\WINDOWS\SYSTEM32\tpiixnfl.ini
C:\WINDOWS\SYSTEM32\rjwensmn.ini
C:\WINDOWS\SYSTEM32\kebmcaty.ini
C:\WINDOWS\SYSTEM32\spoolcv.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\vbgfwxia.ini
C:\WINDOWS\SYSTEM32\qnftyfjm.ini
C:\WINDOWS\SYSTEM32\knqaxkxe.ini
C:\WINDOWS\SYSTEM32\ktcmvcrd.ini
C:\WINDOWS\SYSTEM32\mcrdhjfg.ini
C:\WINDOWS\SYSTEM32\vbcyliel.ini
C:\WINDOWS\SYSTEM32\kcntsnwa.exe
C:\WINDOWS\SYSTEM32\sblwarpj.ini
C:\WINDOWS\SYSTEM32\uuhvbbtp.ini
C:\WINDOWS\SYSTEM32\bqrqtmnv.ini
C:\WINDOWS\SYSTEM32\mcayuiwx.ini
C:\WINDOWS\SYSTEM32\lbyoojmr.ini
C:\WINDOWS\SYSTEM32\lbyoojmr.ini2
C:\WINDOWS\SYSTEM32\mrdsrngj.exe
C:\WINDOWS\SYSTEM32\lbyoojmr.tmp
C:\WINDOWS\SYSTEM32\oyuamwwn.ini
C:\WINDOWS\SYSTEM32\yeclggac.ini
C:\WINDOWS\SYSTEM32\kgbhdfum.ini
Folder::
C:\WINDOWS\SYSTEM32\ineWc01
C:\WINDOWS\SYSTEM32\ineWc06
C:\WINDOWS\SYSTEM32\daSgo06
C:\Program Files\Spruce
C:\WINDOWS\sdir
C:\Temp\tpBe12
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\lkceyuom.exe"=-
"C:\\WINDOWS\\system32\\jlysecps.exe"=-
"C:\\WINDOWS\\system32\\ujpgmoyk.exe"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB02115-BD97-402E-B412-17E59C4D19FB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB3F081E-8774-4F7F-9FAC-55E5A342C1FF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2d44d72-8334-46e2-9806-d33b7edbe32d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FED51DF2-9644-4C58-9104-90244EDD6EEC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{A1-1E-E4-4D-ZN}"=-
"plite731"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvtu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvssr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e44a1ee2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{A1-1E-E4-4D-ZN}]
Service::
Windows Hosts Plugin

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#8 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 12:02 PM

Here is the combo log:
ComboFix 07-12-16.3 - Jason 2007-12-16 11:58:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.225 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\msets.exe
C:\msms32.exe
C:\WINDOWS\frexut5.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\bqrqtmnv.ini
C:\WINDOWS\SYSTEM32\kcntsnwa.exe
C:\WINDOWS\SYSTEM32\kebmcaty.ini
C:\WINDOWS\SYSTEM32\kgbhdfum.ini
C:\WINDOWS\SYSTEM32\knqaxkxe.ini
C:\WINDOWS\SYSTEM32\ktcmvcrd.ini
C:\WINDOWS\SYSTEM32\lbyoojmr.ini
C:\WINDOWS\SYSTEM32\lbyoojmr.ini2
C:\WINDOWS\SYSTEM32\lbyoojmr.tmp
C:\WINDOWS\SYSTEM32\mcayuiwx.ini
C:\WINDOWS\SYSTEM32\mcrdhjfg.ini
C:\WINDOWS\SYSTEM32\mrdsrngj.exe
C:\WINDOWS\SYSTEM32\oyuamwwn.ini
C:\WINDOWS\SYSTEM32\qnftyfjm.ini
C:\WINDOWS\SYSTEM32\rjwensmn.ini
C:\WINDOWS\SYSTEM32\sblwarpj.ini
C:\WINDOWS\SYSTEM32\spoolcv.exe
C:\WINDOWS\SYSTEM32\tpiixnfl.ini
C:\WINDOWS\SYSTEM32\uuhvbbtp.ini
C:\WINDOWS\SYSTEM32\vbcyliel.ini
C:\WINDOWS\SYSTEM32\vbgfwxia.ini
C:\WINDOWS\SYSTEM32\yeclggac.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\msets.exe
C:\msms32.exe
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Temp\tpBe12
C:\Temp\tpBe12\etFr.log
C:\WINDOWS\frexut5.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\sdir
C:\WINDOWS\sdir\del.exe
C:\WINDOWS\sdir\delnew.exe
C:\WINDOWS\sdir\helper.exe
C:\WINDOWS\sdir\locop.exe
C:\WINDOWS\sdir\run.exe
C:\WINDOWS\sdir\start.bat
C:\WINDOWS\SYSTEM32\bqrqtmnv.ini
C:\WINDOWS\SYSTEM32\daSgo06
C:\WINDOWS\SYSTEM32\daSgo06\daSgo061083.exe
C:\WINDOWS\SYSTEM32\ineWc01
C:\WINDOWS\SYSTEM32\ineWc01\ineWc011065.exe
C:\WINDOWS\SYSTEM32\ineWc06
C:\WINDOWS\SYSTEM32\ineWc06\ineWc061083.exe
C:\WINDOWS\SYSTEM32\kcntsnwa.exe
C:\WINDOWS\SYSTEM32\kebmcaty.ini
C:\WINDOWS\SYSTEM32\kgbhdfum.ini
C:\WINDOWS\SYSTEM32\knqaxkxe.ini
C:\WINDOWS\SYSTEM32\ktcmvcrd.ini
C:\WINDOWS\SYSTEM32\lbyoojmr.ini
C:\WINDOWS\SYSTEM32\lbyoojmr.ini2
C:\WINDOWS\SYSTEM32\lbyoojmr.tmp
C:\WINDOWS\SYSTEM32\mcayuiwx.ini
C:\WINDOWS\SYSTEM32\mcrdhjfg.ini
C:\WINDOWS\SYSTEM32\mrdsrngj.exe
C:\WINDOWS\SYSTEM32\oyuamwwn.ini
C:\WINDOWS\SYSTEM32\qnftyfjm.ini
C:\WINDOWS\SYSTEM32\rjwensmn.ini
C:\WINDOWS\SYSTEM32\sblwarpj.ini
C:\WINDOWS\SYSTEM32\spoolcv.exe
C:\WINDOWS\SYSTEM32\tpiixnfl.ini
C:\WINDOWS\SYSTEM32\uuhvbbtp.ini
C:\WINDOWS\SYSTEM32\vbcyliel.ini
C:\WINDOWS\SYSTEM32\vbgfwxia.ini
C:\WINDOWS\SYSTEM32\yeclggac.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-16 10:49 . 2007-12-16 10:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-15 20:05 . 2007-12-15 20:05 145 --a------ C:\WINDOWS\wininit.ini
2007-12-15 18:59 . 2007-12-15 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-15 18:53 . 2007-12-15 18:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 13:05 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-15 12:00 . 2007-12-15 12:37 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-12 03:02 . 2007-12-12 03:02 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2007-12-08 11:29 . 2007-12-08 11:29 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-012.ico
2007-12-06 21:42 . 2007-12-06 21:42 4,286 --a------ C:\WINDOWS\SYSTEM32\santa4.ico
2007-12-06 21:03 . 2007-12-06 21:03 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-011.ico
2007-12-06 21:02 . 2007-12-06 21:02 13,942 --a------ C:\WINDOWS\SYSTEM32\cruise-006.ico
2007-12-06 21:02 . 2007-12-06 21:02 9,662 --a------ C:\WINDOWS\SYSTEM32\alienware-005.ico
2007-12-02 10:56 . 2007-12-16 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-16 16:28 . 2007-06-22 18:02 107,520 --a------ C:\WINDOWS\SYSTEM32\UnCasino5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 23:19 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-15 23:19 --------- d-----w C:\Program Files\Yahoo!
2007-12-12 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-08 16:57 --------- d-----w C:\Documents and Settings\Madison\Application Data\Yahoo!
2007-12-08 04:49 --------- d-----w C:\Program Files\World of Warcraft
2007-12-07 01:19 --------- d-----w C:\Documents and Settings\Jason\Application Data\Yahoo!
2007-12-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 22:08 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-06 22:08 --------- d-----w C:\Program Files\TryMedia
2007-11-04 21:49 --------- d-----w C:\Program Files\Kazaa
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-07 20:29]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-11-14 17:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^VonageRestart.exe]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\VonageRestart.exe
backup=C:\WINDOWS\pss\VonageRestart.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kelly^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 13:52 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2007-07-27 17:03 75128 --a------ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
2006-11-01 19:46 30928 --a------ C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 13:16 135168 --a------ C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-12 06:25 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-03-12 06:25 110592 --a------ C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-11-14 17:33 8716288 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 04:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 21:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 14:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 03:48 36975 --a------ C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R2 Windows Hosts Plugin;Windows Hosts Plugin;"C:\WINDOWS\system32\spoolcv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LM.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DHGGD761-Jason).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 11:59:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 12:00:10
C:\ComboFix2.txt ... 2007-12-16 11:20
C:\ComboFix3.txt ... 2007-12-16 11:13
.
2007-12-12 08:02:48 --- E O F ---

#9 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 12:05 PM

Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:05 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\spoolcv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\sdir\locop.exe
C:\WINDOWS\sdir\locop.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZCxdm492MTUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.8/ttinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe (file missing)

--
End of file - 7662 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 16 December 2007 - 01:34 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Windows Hosts Plugin
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
Windows Hosts Plugin
Right click on it 'Delete'.
Then restart your pc.

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O8 - Extra context menu item: &Search - ?p=ZCxdm492MTUS
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe (file missing)

Exit Hijackthis.

Find and delete:
C:\WINDOWS\system32\spoolcv.exe

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 06:25 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2007 at 06:13 PM

Application Version : 3.9.1008

Core Rules Database Version : 3362
Trace Rules Database Version: 1361

Scan type : Complete Scan
Total Scan Time : 00:29:36

Memory items scanned : 202
Memory threats detected : 2
Registry items scanned : 5326
Registry threats detected : 31
File items scanned : 34862
File threats detected : 31

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\BYXWWWT.DLL
C:\WINDOWS\SYSTEM32\BYXWWWT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E794189-7575-4306-8F49-CCDD291A59CD}
HKCR\CLSID\{1E794189-7575-4306-8F49-CCDD291A59CD}
HKCR\CLSID\{1E794189-7575-4306-8F49-CCDD291A59CD}\InprocServer32
HKCR\CLSID\{1E794189-7575-4306-8F49-CCDD291A59CD}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{1E794189-7575-4306-8F49-CCDD291A59CD}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\byxwwwt
C:\WINDOWS\SYSTEM32\IIFCBXY.DLL
C:\WINDOWS\SYSTEM32\KHFEEEC.DLL
C:\WINDOWS\SYSTEM32\KHFGDEC.DLL
C:\WINDOWS\SYSTEM32\LJJHFGG.DLL
C:\WINDOWS\SYSTEM32\LJJIHHF.DLL
C:\WINDOWS\SYSTEM32\LJJIHIJ.DLL
C:\WINDOWS\SYSTEM32\SSQNOLJ.DLL
C:\WINDOWS\SYSTEM32\SSQOLIJ.DLL
C:\WINDOWS\SYSTEM32\VTUURSR.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\SSTQN.DLL
C:\WINDOWS\SYSTEM32\SSTQN.DLL
HKLM\Software\Classes\CLSID\{083DBFAF-61CE-4C96-A7B1-8114ED3F6E3D}
HKCR\CLSID\{083DBFAF-61CE-4C96-A7B1-8114ED3F6E3D}
HKCR\CLSID\{083DBFAF-61CE-4C96-A7B1-8114ED3F6E3D}\InprocServer32
HKCR\CLSID\{083DBFAF-61CE-4C96-A7B1-8114ED3F6E3D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQRO.DLL
HKLM\Software\Classes\CLSID\{12674207-2DF2-4BAC-915D-8D6FDFF6C81B}
HKCR\CLSID\{12674207-2DF2-4BAC-915D-8D6FDFF6C81B}
HKCR\CLSID\{12674207-2DF2-4BAC-915D-8D6FDFF6C81B}\InprocServer32
HKCR\CLSID\{12674207-2DF2-4BAC-915D-8D6FDFF6C81B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSTU.DLL
HKLM\Software\Classes\CLSID\{21EC59E2-2B17-4030-A406-DFCB676FF37F}
HKCR\CLSID\{21EC59E2-2B17-4030-A406-DFCB676FF37F}
HKCR\CLSID\{21EC59E2-2B17-4030-A406-DFCB676FF37F}\InprocServer32
HKCR\CLSID\{21EC59E2-2B17-4030-A406-DFCB676FF37F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTQP.DLL
HKLM\Software\Classes\CLSID\{9AD45AEA-B54D-4112-913B-019D62BFC8DF}
HKCR\CLSID\{9AD45AEA-B54D-4112-913B-019D62BFC8DF}
HKCR\CLSID\{9AD45AEA-B54D-4112-913B-019D62BFC8DF}\InprocServer32
HKCR\CLSID\{9AD45AEA-B54D-4112-913B-019D62BFC8DF}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AD45AEA-B54D-4112-913B-019D62BFC8DF}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0E06AA1E-20BF-494C-8976-0D289C677EFE}
HKCR\CLSID\{0E06AA1E-20BF-494C-8976-0D289C677EFE}
HKCR\CLSID\{0E06AA1E-20BF-494C-8976-0D289C677EFE}\InprocServer32
HKCR\CLSID\{0E06AA1E-20BF-494C-8976-0D289C677EFE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDB.DLL
HKLM\Software\Classes\CLSID\{C8CC05B4-E2D7-4C45-967E-859458AA1E95}
HKCR\CLSID\{C8CC05B4-E2D7-4C45-967E-859458AA1E95}
HKCR\CLSID\{C8CC05B4-E2D7-4C45-967E-859458AA1E95}\InprocServer32
HKCR\CLSID\{C8CC05B4-E2D7-4C45-967E-859458AA1E95}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSTS.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WVUVSSR.DLL.VIR

Adware.Tracking Cookie
C:\Documents and Settings\Jason\Cookies\jason@ads.auctionads[1].txt

Adware.AdHost/DR
C:\QOOBOX\QUARANTINE\C\WINDOWS\DF87173.EXE.VIR

Adware.SysMon
C:\QOOBOX\QUARANTINE\C\WINDOWS\PLITE731.EXE.VIR

Adware.ZenoSearch-NVON
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DWDSRNGT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MRDSRNGJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MRWDW64J.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RWWDW64D.EXE.VIR

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\E1\XBY1STP.EXE.VIR

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\INEWC01\INEWC011065.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\INEWC06\INEWC061083.EXE.VIR

Trojan.ZenoSearch
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KWINSNDQ.EXE.VIR

Trojan.Unclassified/SpoolCV
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SPOOLCV.EXE.VIR

Adware.Helper
C:\WINDOWS\SYSTEM\HELPER.EXE

Trojan.Unclassified/PackedInstaller
C:\WINDOWS\SYSTEM\ZM.EXE

#12 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 06:27 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:54 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysvn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system\locop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image Remote Players] sysvn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.8/ttinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebawtt - C:\WINDOWS\SYSTEM32\gebawtt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7204 bytes

#13 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 06:30 PM

The computer is running much better - I haven't seen any pop-ups - Thanks so much!

One strange thing remains - when I use Internet Explorer - pages are not displayed properly as you can see from this screenshot:

Posted Image

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 16 December 2007 - 06:35 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\sysvn.exe
c:\windows\system\locop.exe
C:\WINDOWS\SYSTEM32\gebawtt.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#15 johnksc

johnksc
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 December 2007 - 07:45 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\amnstwlb

*******************

Script file located at: \??\C:\WINDOWS\olbjpadg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\sysvn.exe deleted successfully.
File c:\windows\system\locop.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\gebawtt.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:54 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4352F0A3-E116-458C-B980-6EFC0776F805} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image Remote Players] sysvn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.8/ttinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebawtt - gebawtt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7242 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users