Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Attacks From Malware


  • Please log in to reply
5 replies to this topic

#1 skyler517

skyler517

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 18 December 2007 - 10:15 AM

Hello, I inadvertantly installed a "real video codex" on my computer. So far it has tried to shuffle my home page, search page, windows background, run outlook (which I never used, so it had no accounts), and hit some blocked websites invisibly.

I have tried Spy Sweeper, AVG's spyware, Spyware doctor, Combofix, McAfee anti-virus, McAfee Stinger, Panda AV..... and a few more. Most of the symptoms were cured, but it still eats memory and and tries to access Outlook and various strange websites.

Here is my combofix log :

ComboFix 07-12-17.1 - Owner 2007-12-17 18:58:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.390 [GMT -7:00]
Running from: C:\Documents and Settings\Owner.YOUR-F8C4439DFA\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\rs.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-13 19:44 . 2007-12-13 19:40 77,824 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-13 19:29 . 2007-12-13 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-13 17:58 . 2007-12-13 17:58 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-F8C4439DFA\Application Data\DivX
2007-12-13 17:56 . 2007-11-29 15:30 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-12-13 17:56 . 2007-11-29 15:30 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-12-13 17:56 . 2007-11-29 15:30 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-12-13 17:55 . 2007-12-13 18:01 <DIR> d-------- C:\Program Files\DivX
2007-12-13 16:32 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-13 16:32 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-13 16:32 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-13 16:32 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-13 16:31 . 2007-12-13 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-13 16:31 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-13 16:29 . 2007-12-13 16:29 164 --a------ C:\install.dat
2007-12-13 16:17 . 2007-12-13 16:17 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-13 12:15 . 2007-12-13 12:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-13 12:14 . 2007-12-13 12:14 <DIR> d-------- C:\Program Files\Webroot
2007-12-13 12:14 . 2007-12-13 12:14 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-F8C4439DFA\Application Data\Webroot
2007-12-13 12:14 . 2005-10-21 15:50 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2007-12-12 20:44 . 2007-12-13 19:45 5,120 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-12 20:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-12 20:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-12 20:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-12 20:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-12 20:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-11 15:34 . 2007-12-11 15:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 15:34 . 2007-12-11 15:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-09 15:43 . 2007-12-09 16:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 15:43 . 2007-12-09 15:43 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-09 15:43 . 2007-12-09 15:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-09 15:43 . 2007-12-09 15:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-06 20:27 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-05 16:02 . 2007-12-05 16:02 <DIR> d-------- C:\VundoFix Backups
2007-12-05 15:42 . 2007-12-05 15:42 <DIR> d-------- C:\Program Files\CCleaner
2007-12-05 05:28 . 2007-12-05 05:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-05 05:28 . 2007-12-05 05:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-05 05:27 . 2007-12-05 05:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 20:13 . 2007-12-04 20:13 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-F8C4439DFA\Application Data\Grisoft
2007-12-04 20:10 . 2007-12-04 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 20:10 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 18:33 . 2007-12-03 18:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-03 18:33 . 2007-12-03 18:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-03 18:33 . 2007-12-03 18:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-03 18:33 . 2007-12-03 18:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 18:33 . 2007-12-03 18:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2007-12-02 13:26 . 2007-12-02 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-02 11:04 . 2007-12-02 11:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 11:00 . 2007-12-02 11:04 <DIR> d-------- C:\New Folder
2007-11-29 15:30 . 2007-11-29 15:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 15:30 . 2007-11-29 15:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-11-29 15:30 . 2007-11-29 15:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-29 15:28 . 2007-11-29 15:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-29 15:28 . 2007-11-29 15:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-29 15:28 . 2007-11-29 15:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-29 15:28 . 2007-11-29 15:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-28 14:55 . 2007-11-28 14:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 14:53 . 2007-11-28 14:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 14:53 . 2007-11-28 14:53 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-11-28 14:53 . 2007-11-28 14:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-28 14:53 . 2007-11-28 14:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-28 14:53 . 2007-11-28 14:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-28 14:53 . 2007-11-28 14:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-28 14:53 . 2007-11-28 14:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 14:52 . 2007-11-28 14:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-24 10:57 . 2007-11-24 10:57 0 --a------ C:\hpfr5550.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 02:04 7,415,840 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 01:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 01:20 --------- d-----w C:\Program Files\Google
2007-12-14 16:31 86,528 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-09 23:32 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-12-09 23:32 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-09 23:26 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-09 23:22 --------- d-----w C:\Program Files\ATI Multimedia
2007-12-02 04:42 --------- d-----w C:\Program Files\Napster
2007-12-02 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-21 23:12 --------- d-----w C:\Program Files\McAfee
2007-11-14 23:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 23:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 01:14 --------- d-----w C:\Program Files\Steam
2007-11-12 01:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-12 01:02 --------- d-----w C:\Program Files\ATI Technologies
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 08:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 08:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 08:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 08:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-11 16:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 16:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 16:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 20:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 20:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 20:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 20:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 20:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 20:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 20:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 20:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 19:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
2007-09-29 10:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 10:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 10:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 09:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 09:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 09:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 09:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 09:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 09:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 09:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 09:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 09:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 09:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 09:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 09:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 09:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 09:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 09:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-29 04:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-04-23 01:19 2,479,068 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-01-14 21:19 0 ----a-w C:\Documents and Settings\Owner.YOUR-F8C4439DFA\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATI Launchpad"="" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2005-11-04 20:27]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2005-11-04 20:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 20:30]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 18:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 12:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 09:32 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 12:36 C:\WINDOWS\RTHDCPL.EXE]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 12:00 C:\WINDOWS\system32\rundll32.exe]
"@"="" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-21 22:48]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 22:46 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIMACE]
C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS [2007-10-01 16:24]
S2 Active Common Service;Active Common Service;C:\WINDOWS\system32\commserv.exe []
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-25 21:32]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-07-25 21:35]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57aa2887-f690-11da-99ac-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f41c0d-71ff-11dc-bff8-0040ca98dd01}]
\Shell\AutoRun\command - "J:\Install FreeAgent Tools.exe" /run

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2006-09-26 03:00:00 C:\WINDOWS\Tasks\EPG_REC_000.job"
- C:\PROGRA~1\ATIMUL~1\MAIN\ATISchedInvoke.exe
"2006-09-26 03:00:01 C:\WINDOWS\Tasks\EPG_REC_001.job"
- C:\PROGRA~1\ATIMUL~1\MAIN\ATISchedInvoke.exe
"2006-11-24 01:00:00 C:\WINDOWS\Tasks\EPG_REC_006.job"
- C:\PROGRA~1\ATIMUL~1\MAIN\ATISchedInvoke.exe
"2006-09-03 01:31:09 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-03-15 09:47:24 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-04-01 07:00:13 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 19:04:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 19:06:03
.
2007-12-12 12:43:09 --- E O F ---


Here is my Hijack this log (run as Crusty.exe to fool some of the Malwares supposedly):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:46 AM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...P&M=GT4023E
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157248487059
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157915099078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2A57ABD-7382-4A4C-B248-743815ED4D29}: NameServer = 68.87.69.146,68.87.85.98
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: jetctrl - {CDE0A4C9-7D67-4F1B-8C0B-7C1BD5E7ACA8} - (no file)
O21 - SSODL: kopmet - {B3251C03-7A32-4F11-9CFD-7099AB842448} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10647 bytes


Thanks you for any help ,
Bob

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 18 December 2007 - 12:24 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum skyler517
My name is Richie and i'll be helping you to fix your problems.

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Active Common Service
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
Active Common Service
Right click on it 'Delete'.
Then restart your pc.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O21 - SSODL: jetctrl - {CDE0A4C9-7D67-4F1B-8C0B-7C1BD5E7ACA8} - (no file)
O21 - SSODL: kopmet - {B3251C03-7A32-4F11-9CFD-7099AB842448} - (no file)
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#3 skyler517

skyler517
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 19 December 2007 - 02:13 PM

Hey Richie, 3 things:

1. Thank you very much for your help. I very much appreciate it. Drinks are on me if you ever come to Colorado, USA

2. O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe (file missing) was not shown when I ran Hijackthis. I assume that deleting the Reg entry and stopping it removed it from the scope of Hijackthis.

3. No bugs were found by SuperAntiSpyware. I am re-running spyware sweeper before I reboot again.


Please let me know if this passes the idiot test, since I am an idiot and installed this malware.

Thanks,
Bob

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 19 December 2007 - 02:54 PM

Could you post the new Hijackthis log as requested please.
Also let me know how your pc is running now.
Posted Image
Posted Image

#5 skyler517

skyler517
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 19 December 2007 - 06:58 PM

Hey Richie, The computer is still running slow and spy sweeper is throwing out blocked web sites left and right.
Here is the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:24 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\crusty.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...P&M=GT4023E
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [ATI Scheduler] "C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157248487059
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157915099078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2A57ABD-7382-4A4C-B248-743815ED4D29}: NameServer = 68.87.69.146,68.87.85.98
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10554 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 19 December 2007 - 07:25 PM

Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' in the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt

Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users