Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Please


  • Please log in to reply
18 replies to this topic

#1 stevefrmoz

stevefrmoz

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 04 January 2008 - 02:29 AM

Can you tell me my problem(s) everything runs slow i dont realy want to reformat as i have to much stuff on this pc


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:26 PM, on 4/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\HpMmKbd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\LClock\LClock .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Administrator\Start Menu\Programs\utilites\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395581546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395571953
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7079 bytes

Regards Steve

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 05 January 2008 - 05:15 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum stevefrmoz
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Administrator\Start Menu\Programs\utilites\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 07 January 2008 - 04:39 AM

logs as requested
1: combofix log
ComboFix 08-01-06.4 - steved 2008-01-07 19:19:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.81 [GMT 10:00]
Running from: C:\Documents and Settings\steved\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 19:10 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-06 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 14:04 . 2008-01-05 10:10 <DIR> d-------- C:\Program Files\Incomplete
2008-01-04 13:31 . 2008-01-04 13:31 <DIR> d-------- C:\Program Files\CCleaner
2008-01-04 12:57 . 2008-01-04 13:14 <DIR> d-------- C:\Documents and Settings\steved\Contacts
2008-01-04 12:51 . 2008-01-04 13:13 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-04 11:30 . 2008-01-07 19:09 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-04 11:14 . 2008-01-04 11:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-04 10:48 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\LimeWire Store Purchased
2008-01-02 10:21 . 2008-01-02 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-02 10:21 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-02 10:20 . 2008-01-04 16:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\MSECache
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\IE Doctor
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-01 18:57 . 2008-01-02 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro(2)
2008-01-01 18:33 . 2007-12-30 12:42 211 --a------ C:\TISSupBI.bak
2007-12-29 10:51 . 2007-12-29 11:51 19 --a------ C:\WINDOWS\msxfcg32.dll
2007-12-28 12:24 . 2007-12-28 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-26 20:16 . 2008-01-02 10:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-26 18:40 . 2006-11-08 18:51 62,336 --------- C:\WINDOWS\system32\drivers\rspndr.sys
2007-12-26 18:40 . 2006-11-08 18:51 10,752 --a------ C:\WINDOWS\system32\rspndr.exe
2007-12-26 13:33 . 2007-12-26 13:44 <DIR> d-------- C:\New Folder (2)
2007-12-26 11:35 . 2007-12-26 11:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 17:25 . 2007-12-25 17:25 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Earthsim
2007-12-24 13:07 . 2008-01-04 16:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-12-24 12:25 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-24 12:25 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-24 11:34 . 2008-01-02 10:06 <DIR> d-------- C:\Documents and Settings\steved\.housecall6.6
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\WINDOWS\Sun
2007-12-24 10:34 . 2007-12-27 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 10:22 . 2007-12-24 10:22 <DIR> d--h----- C:\BJPrinter
2007-12-24 10:22 . 2003-02-28 14:30 100,352 --a------ C:\WINDOWS\system32\CNMLM50.DLL
2007-12-24 10:22 . 2003-02-28 14:30 5,632 --a------ C:\WINDOWS\system32\CNMVS50.DLL
2007-12-24 10:19 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iTunes
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iPod
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Apple Computer
2007-12-24 10:05 . 2008-01-04 12:40 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 10:05 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-24 10:04 . 2008-01-04 13:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 10:04 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-24 09:49 . 2008-01-07 19:28 <DIR> d-------- C:\WINDOWS\system32\DllCache
2007-12-24 09:46 . 2007-12-24 09:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-24 09:03 . 2007-12-24 09:03 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ViStart
2007-12-24 09:01 . 2007-12-24 09:01 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Styler
2007-12-24 09:00 . 2007-12-24 09:14 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\VisualTooltip
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\Vista Sidebar
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\Styler
2007-12-24 09:00 . 2008-01-07 19:27 <DIR> d-------- C:\Program Files\LClock
2007-12-24 09:00 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2007-12-24 09:00 . 2006-12-11 01:15 498,176 --a------ C:\WINDOWS\system32\logon.scr
2007-12-24 09:00 . 2007-11-30 05:56 329,029 --a------ C:\WINDOWS\system32\viwc.exe
2007-12-24 09:00 . 2004-09-20 01:27 172,032 --a------ C:\WINDOWS\system32\LClock.cpl
2007-12-24 09:00 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2007-12-24 08:57 . 2007-12-24 08:57 78,942 --a------ C:\WINDOWS\Icon_1.ico
2007-12-24 08:56 . 2007-12-24 09:04 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-12-24 08:56 . 2007-12-24 09:03 <DIR> d-------- C:\VTPFiles
2007-12-24 08:56 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-12-24 08:56 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-12-24 08:56 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-12-24 08:22 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-12-24 08:22 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-12-24 08:17 . 2007-12-24 08:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-12-24 08:16 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-24 07:55 . 2007-12-25 16:24 <DIR> dr------- C:\Programs
2007-12-23 23:28 . 2007-12-25 17:30 <DIR> d-------- C:\Program Files\Google
2007-12-23 23:28 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 23:01 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\Shared
2007-12-23 23:01 . 2008-01-04 10:51 <DIR> d-------- C:\Documents and Settings\steved\Incomplete
2007-12-23 23:01 . 2008-01-05 09:30 <DIR> d-------- C:\Documents and Settings\steved\.limewire
2007-12-23 23:00 . 2008-01-05 10:10 <DIR> d-------- C:\Program Files\LimeWire
2007-12-23 23:00 . 2007-12-23 23:28 <DIR> d-------- C:\Program Files\Java
2007-12-23 23:00 . 2007-12-23 23:00 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 22:46 . 2007-12-23 22:46 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-23 22:38 . 2007-12-23 22:38 <DIR> d-------- C:\Program Files\MSBuild
2007-12-23 22:35 . 2007-12-24 09:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-23 22:34 . 2007-12-23 22:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-23 22:33 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-23 22:30 . 2008-01-04 13:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-23 22:30 . 2007-12-23 22:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-23 22:26 . 2007-12-23 22:26 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-23 22:23 . 2006-11-13 16:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-23 22:23 . 2006-11-13 16:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-23 22:23 . 2006-11-13 16:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-23 22:09 . 2008-01-04 20:11 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Skype
2007-12-23 19:10 . 2007-12-23 19:10 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ATI
2007-12-23 18:23 . 2007-12-05 14:17 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-12-23 18:22 . 2008-01-04 16:13 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 09:19 15,360 ----a-w C:\WINDOWS\system32\DllCache\ctfmon.exe
2008-01-07 09:19 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-06 08:01 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-01-04 01:37 118,342 ----a-w C:\WINDOWS\Fonts\x.zip
2008-01-04 01:30 290,819 ----a-w C:\WINDOWS\Fonts\svchost .exe
2007-12-25 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Earthsim
2007-12-23 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 07:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 07:40 222,720 ----a-w C:\WINDOWS\system32\DllCache\wmasf.dll
2007-10-23 15:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-23 15:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-23 15:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-23 15:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-10 23:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-10 23:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-10 23:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 03:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 03:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 03:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 03:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 03:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 03:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 03:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 03:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 02:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
2007-10-01 02:15 290,820 ----a-w C:\WINDOWS\Fonts\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_17.43.39.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05 23:59:10 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
+ 2004-08-03 14:56:54 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
+ 2004-08-03 14:56:54 158,208 ----a-w C:\WINDOWS\system32\DllCache\msconfig.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17791F19-B127-4433-BC47-5DF3FF925E35}]
2008-01-07 19:27 335360 --a------ C:\WINDOWS\system32\awtsr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2008-01-07 19:09 409088]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-07 19:19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-07 19:09 2284032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-07 19:09 475648]
"HpMmKbd"="HpMmKbd.exe" [2002-02-08 14:16 147456 C:\WINDOWS\system32\HPMMKBD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-01-07 19:19 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\awtsr.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtsr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-07 19:19 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
--a------ 2008-01-07 19:27 338944 C:\WINDOWS\system32\awtsr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-04 20:27 286720 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-04 00:56 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]

R3 hpmmkbd;HP Extended Keyboard;C:\WINDOWS\system32\DRIVERS\hpmmkbd.sys [1999-09-29 09:40]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 13:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 05:11:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 01:37:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-30 01:37:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 19:27:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\awtsr.dll 335360 bytes executable
C:\WINDOWS\system32\awtsr.exe 338944 bytes executable
C:\WINDOWS\system32\rstwa.ini 415 bytes
C:\WINDOWS\system32\rstwa.ini2 319 bytes

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\LClock\LC.dll
-> C:\WINDOWS\system32\awtsr.dll
.
Completion time: 2008-01-07 19:29:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 09:29:30
ComboFix2.txt 2008-01-06 07:55:22
ComboFix3.txt 2008-01-06 07:44:24
.
2007-12-24 03:19:29 --- E O F ---

2: hijacjthis log renamed ABC.bat
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:49 PM, on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\HpMmKbd.exe
C:\Program Files\LClock\LClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\LClock\LClock .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Administrator\Start Menu\Programs\utilites\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17791F19-B127-4433-BC47-5DF3FF925E35} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395581546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395571953
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7311 bytes

What next???????????
Regards Steve

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 07 January 2008 - 05:25 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\msxfcg32.dll
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\awtsr.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17791F19-B127-4433-BC47-5DF3FF925E35}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.

Also post a new HijackThis log.
Posted Image
Posted Image

#5 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 07 January 2008 - 06:48 AM

combofix log
ComboFix 08-01-06.4 - steved 2008-01-07 21:31:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT 10:00]
Running from: C:\Documents and Settings\steved\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\steved\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 21:17 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-06 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 14:04 . 2008-01-05 10:10 <DIR> d-------- C:\Program Files\Incomplete
2008-01-04 13:31 . 2008-01-04 13:31 <DIR> d-------- C:\Program Files\CCleaner
2008-01-04 12:57 . 2008-01-04 13:14 <DIR> d-------- C:\Documents and Settings\steved\Contacts
2008-01-04 12:51 . 2008-01-04 13:13 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-04 11:30 . 2008-01-07 21:13 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-04 11:14 . 2008-01-04 11:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-04 10:48 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\LimeWire Store Purchased
2008-01-02 10:21 . 2008-01-02 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-02 10:21 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-02 10:20 . 2008-01-04 16:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\MSECache
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\IE Doctor
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-01 18:57 . 2008-01-02 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro(2)
2008-01-01 18:33 . 2007-12-30 12:42 211 --a------ C:\TISSupBI.bak
2007-12-29 10:51 . 2007-12-29 11:51 19 --a------ C:\WINDOWS\msxfcg32.dll
2007-12-28 12:24 . 2007-12-28 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-26 20:16 . 2008-01-02 10:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-26 18:40 . 2006-11-08 18:51 62,336 --------- C:\WINDOWS\system32\drivers\rspndr.sys
2007-12-26 18:40 . 2006-11-08 18:51 10,752 --a------ C:\WINDOWS\system32\rspndr.exe
2007-12-26 13:33 . 2007-12-26 13:44 <DIR> d-------- C:\New Folder (2)
2007-12-26 11:35 . 2007-12-26 11:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 17:25 . 2007-12-25 17:25 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Earthsim
2007-12-24 13:07 . 2008-01-04 16:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-12-24 12:25 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-24 12:25 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-24 11:34 . 2008-01-02 10:06 <DIR> d-------- C:\Documents and Settings\steved\.housecall6.6
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\WINDOWS\Sun
2007-12-24 10:34 . 2007-12-27 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 10:22 . 2007-12-24 10:22 <DIR> d--h----- C:\BJPrinter
2007-12-24 10:22 . 2003-02-28 14:30 100,352 --a------ C:\WINDOWS\system32\CNMLM50.DLL
2007-12-24 10:22 . 2003-02-28 14:30 5,632 --a------ C:\WINDOWS\system32\CNMVS50.DLL
2007-12-24 10:19 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iTunes
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iPod
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Apple Computer
2007-12-24 10:05 . 2008-01-04 12:40 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 10:05 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-24 10:04 . 2008-01-04 13:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 10:04 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-24 09:49 . 2008-01-07 21:32 <DIR> d-------- C:\WINDOWS\system32\DllCache
2007-12-24 09:46 . 2007-12-24 09:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-24 09:03 . 2007-12-24 09:03 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ViStart
2007-12-24 09:01 . 2007-12-24 09:01 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Styler
2007-12-24 09:00 . 2007-12-24 09:14 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\VisualTooltip
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\Vista Sidebar
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\Styler
2007-12-24 09:00 . 2008-01-07 21:32 <DIR> d-------- C:\Program Files\LClock
2007-12-24 09:00 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2007-12-24 09:00 . 2006-12-11 01:15 498,176 --a------ C:\WINDOWS\system32\logon.scr
2007-12-24 09:00 . 2007-11-30 05:56 329,029 --a------ C:\WINDOWS\system32\viwc.exe
2007-12-24 09:00 . 2004-09-20 01:27 172,032 --a------ C:\WINDOWS\system32\LClock.cpl
2007-12-24 09:00 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2007-12-24 08:57 . 2007-12-24 08:57 78,942 --a------ C:\WINDOWS\Icon_1.ico
2007-12-24 08:56 . 2007-12-24 09:04 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-12-24 08:56 . 2007-12-24 09:03 <DIR> d-------- C:\VTPFiles
2007-12-24 08:56 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-12-24 08:56 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-12-24 08:56 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-12-24 08:22 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-12-24 08:22 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-12-24 08:17 . 2007-12-24 08:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-12-24 08:16 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-24 07:55 . 2007-12-25 16:24 <DIR> dr------- C:\Programs
2007-12-23 23:28 . 2007-12-25 17:30 <DIR> d-------- C:\Program Files\Google
2007-12-23 23:28 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 23:01 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\Shared
2007-12-23 23:01 . 2008-01-04 10:51 <DIR> d-------- C:\Documents and Settings\steved\Incomplete
2007-12-23 23:01 . 2008-01-05 09:30 <DIR> d-------- C:\Documents and Settings\steved\.limewire
2007-12-23 23:00 . 2008-01-05 10:10 <DIR> d-------- C:\Program Files\LimeWire
2007-12-23 23:00 . 2007-12-23 23:28 <DIR> d-------- C:\Program Files\Java
2007-12-23 23:00 . 2007-12-23 23:00 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 22:46 . 2007-12-23 22:46 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-23 22:38 . 2007-12-23 22:38 <DIR> d-------- C:\Program Files\MSBuild
2007-12-23 22:35 . 2007-12-24 09:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-23 22:34 . 2007-12-23 22:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-23 22:33 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-23 22:30 . 2008-01-04 13:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-23 22:30 . 2007-12-23 22:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-23 22:26 . 2007-12-23 22:26 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-23 22:23 . 2006-11-13 16:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-23 22:23 . 2006-11-13 16:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-23 22:23 . 2006-11-13 16:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-23 22:09 . 2008-01-04 20:11 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Skype
2007-12-23 19:10 . 2007-12-23 19:10 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ATI
2007-12-23 18:23 . 2007-12-05 14:17 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-12-23 18:22 . 2008-01-04 16:13 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 01:37 118,342 ----a-w C:\WINDOWS\Fonts\x.zip
2008-01-04 01:30 290,819 ----a-w C:\WINDOWS\Fonts\svchost .exe
2007-12-25 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Earthsim
2007-12-23 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-01 02:15 290,820 ----a-w C:\WINDOWS\Fonts\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_17.43.39.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-04 13:46:29 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
+ 2008-01-07 10:51:51 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
- 2008-01-05 23:59:10 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
+ 2008-01-07 11:17:52 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
- 2008-01-06 07:42:10 355,840 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2008-01-07 11:32:13 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2008-01-07 11:32:13 15,360 ----a-w C:\WINDOWS\system32\DllCache\ctfmon.exe
+ 2008-01-07 11:17:52 158,208 ----a-w C:\WINDOWS\system32\DllCache\msconfig.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2008-01-07 21:35 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-07 21:32 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-07 21:35 1393928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-07 21:35 132496]
"HpMmKbd"="HpMmKbd.exe" [2002-02-08 14:16 147456 C:\WINDOWS\system32\HPMMKBD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-01-07 21:32 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-07 21:32 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-04 20:27 286720 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-04 00:56 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]

R3 hpmmkbd;HP Extended Keyboard;C:\WINDOWS\system32\DRIVERS\hpmmkbd.sys [1999-09-29 09:40]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 13:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 05:11:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 01:37:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-30 01:37:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 21:39:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\LClock\LC.dll
.
Completion time: 2008-01-07 21:40:14 - machine was rebooted [steved]
ComboFix-quarantined-files.txt 2008-01-07 11:40:07
ComboFix2.txt 2008-01-07 09:29:38
ComboFix3.txt 2008-01-06 07:55:22
ComboFix4.txt 2008-01-06 07:44:24
.
2007-12-24 03:19:29 --- E O F ---
renvlog
Ran on Mon 07/01/2008 - 21:41:31.46

----a-w		   132,496 2008-01-07 11:13:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			65,536 2008-01-07 11:13:27  C:\Program Files\LClock\LClock .exe
----a-w		 5,674,352 2008-01-04 03:13:38  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   286,720 2008-01-04 10:27:20  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,393,928 2008-01-07 11:17:32  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w		   488,712 2008-01-04 12:18:52  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w		   290,819 2008-01-04 01:30:06  C:\WINDOWS\Fonts\svchost .exe
----a-w		   158,208 2008-01-07 10:51:51  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-07 11:13:28  C:\WINDOWS\system32\ctfmon .exe

 Entries:				9  (9)
 Directories:			0  Files:			 9
 Bytes:		  8,506,131  Blocks:	   16,616
hjtlog
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:49 PM, on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\HpMmKbd.exe
C:\Program Files\LClock\LClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Administrator\Start Menu\Programs\utilites\HijackThis\Copy of HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395581546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395571953
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6993 bytes

#6 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 07 January 2008 - 07:06 AM

i also have probs with msconfig cannot use normal startup i tried to attach a screen shot but dont know how
regards steve

Edited by stevefrmoz, 07 January 2008 - 07:07 AM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 07 January 2008 - 08:15 AM

Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply.

Close any open browsers.
Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#8 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 08 January 2008 - 04:05 AM

Ran on Tue 08/01/2008 - 18:44:50.45

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0

ComboFix 08-01-06.4 - steved 2008-01-08 18:48:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT 10:00]
Running from: C:\Documents and Settings\steved\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 18:43 . 2008-01-08 18:43 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-06 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 14:04 . 2008-01-05 10:10 <DIR> d-------- C:\Program Files\Incomplete
2008-01-04 13:31 . 2008-01-04 13:31 <DIR> d-------- C:\Program Files\CCleaner
2008-01-04 12:57 . 2008-01-04 13:14 <DIR> d-------- C:\Documents and Settings\steved\Contacts
2008-01-04 12:51 . 2008-01-08 18:44 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-04 11:14 . 2008-01-04 11:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-04 10:48 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\LimeWire Store Purchased
2008-01-02 10:21 . 2008-01-02 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-02 10:21 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-02 10:20 . 2008-01-04 16:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\MSECache
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\IE Doctor
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-01 18:57 . 2008-01-02 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro(2)
2008-01-01 18:33 . 2007-12-30 12:42 211 --a------ C:\TISSupBI.bak
2007-12-29 10:51 . 2007-12-29 11:51 19 --a------ C:\WINDOWS\msxfcg32.dll
2007-12-28 12:24 . 2007-12-28 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-26 20:16 . 2008-01-02 10:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-26 18:40 . 2006-11-08 18:51 62,336 --------- C:\WINDOWS\system32\drivers\rspndr.sys
2007-12-26 18:40 . 2006-11-08 18:51 10,752 --a------ C:\WINDOWS\system32\rspndr.exe
2007-12-26 13:33 . 2007-12-26 13:44 <DIR> d-------- C:\New Folder (2)
2007-12-26 11:35 . 2007-12-26 11:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 17:25 . 2007-12-25 17:25 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Earthsim
2007-12-24 13:07 . 2008-01-04 16:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-12-24 12:25 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-24 12:25 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-24 11:34 . 2008-01-02 10:06 <DIR> d-------- C:\Documents and Settings\steved\.housecall6.6
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\WINDOWS\Sun
2007-12-24 10:34 . 2007-12-27 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 10:22 . 2007-12-24 10:22 <DIR> d--h----- C:\BJPrinter
2007-12-24 10:22 . 2003-02-28 14:30 100,352 --a------ C:\WINDOWS\system32\CNMLM50.DLL
2007-12-24 10:22 . 2003-02-28 14:30 5,632 --a------ C:\WINDOWS\system32\CNMVS50.DLL
2007-12-24 10:19 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iTunes
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iPod
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Apple Computer
2007-12-24 10:05 . 2008-01-08 18:44 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 10:05 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-24 10:04 . 2008-01-04 13:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 10:04 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-24 09:49 . 2008-01-08 18:48 <DIR> d-------- C:\WINDOWS\system32\DllCache
2007-12-24 09:46 . 2007-12-24 09:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-24 09:03 . 2007-12-24 09:03 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ViStart
2007-12-24 09:01 . 2007-12-24 09:01 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Styler
2007-12-24 09:00 . 2007-12-24 09:14 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\VisualTooltip
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\Vista Sidebar
2007-12-24 09:00 . 2007-12-24 09:00 <DIR> d-------- C:\Program Files\Styler
2007-12-24 09:00 . 2008-01-08 18:44 <DIR> d-------- C:\Program Files\LClock
2007-12-24 09:00 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2007-12-24 09:00 . 2006-12-11 01:15 498,176 --a------ C:\WINDOWS\system32\logon.scr
2007-12-24 09:00 . 2007-11-30 05:56 329,029 --a------ C:\WINDOWS\system32\viwc.exe
2007-12-24 09:00 . 2004-09-20 01:27 172,032 --a------ C:\WINDOWS\system32\LClock.cpl
2007-12-24 09:00 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2007-12-24 08:57 . 2007-12-24 08:57 78,942 --a------ C:\WINDOWS\Icon_1.ico
2007-12-24 08:56 . 2007-12-24 09:04 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-12-24 08:56 . 2007-12-24 09:03 <DIR> d-------- C:\VTPFiles
2007-12-24 08:56 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-12-24 08:56 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-12-24 08:56 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-12-24 08:22 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-12-24 08:22 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-12-24 08:17 . 2007-12-24 08:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-12-24 08:16 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-24 07:55 . 2007-12-25 16:24 <DIR> dr------- C:\Programs
2007-12-23 23:28 . 2007-12-25 17:30 <DIR> d-------- C:\Program Files\Google
2007-12-23 23:28 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 23:01 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\Shared
2007-12-23 23:01 . 2008-01-04 10:51 <DIR> d-------- C:\Documents and Settings\steved\Incomplete
2007-12-23 23:01 . 2008-01-05 09:30 <DIR> d-------- C:\Documents and Settings\steved\.limewire
2007-12-23 23:00 . 2008-01-05 10:10 <DIR> d-------- C:\Program Files\LimeWire
2007-12-23 23:00 . 2007-12-23 23:28 <DIR> d-------- C:\Program Files\Java
2007-12-23 23:00 . 2007-12-23 23:00 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 22:46 . 2007-12-23 22:46 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-23 22:38 . 2007-12-23 22:38 <DIR> d-------- C:\Program Files\MSBuild
2007-12-23 22:35 . 2007-12-24 09:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-23 22:34 . 2007-12-23 22:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-23 22:33 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-23 22:30 . 2008-01-04 13:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-23 22:30 . 2007-12-23 22:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-23 22:26 . 2007-12-23 22:26 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-23 22:23 . 2006-11-13 16:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-23 22:23 . 2006-11-13 16:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-23 22:23 . 2006-11-13 16:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-23 22:09 . 2008-01-04 20:11 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Skype
2007-12-23 19:10 . 2007-12-23 19:10 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ATI
2007-12-23 18:23 . 2007-12-05 14:17 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-12-23 18:22 . 2008-01-04 16:13 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-23 18:22 . 2007-12-23 21:38 <DIR> d-------- C:\Program Files\ATI Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 11:13 15,360 ----a-w C:\WINDOWS\system32\DllCache\ctfmon.exe
2008-01-07 11:13 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-07 10:51 158,208 ----a-w C:\WINDOWS\system32\DllCache\msconfig.exe
2008-01-07 10:51 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-04 01:37 118,342 ----a-w C:\WINDOWS\Fonts\x.zip
2007-12-25 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Earthsim
2007-12-23 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 07:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 07:40 222,720 ----a-w C:\WINDOWS\system32\DllCache\wmasf.dll
2007-10-23 15:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-23 15:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-23 15:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-23 15:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-10 23:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-10 23:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-10 23:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 03:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 03:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 03:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 03:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 03:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 03:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 03:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 03:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 02:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
2007-10-01 02:15 290,820 ----a-w C:\WINDOWS\Fonts\Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-07 21:13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-07 21:17 1393928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"HpMmKbd"="HpMmKbd.exe" [2002-02-08 14:16 147456 C:\WINDOWS\system32\HPMMKBD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-01-07 21:13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-07 21:13 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-04 00:56 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]

R3 hpmmkbd;HP Extended Keyboard;C:\WINDOWS\system32\DRIVERS\hpmmkbd.sys [1999-09-29 09:40]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 13:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 05:11:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 01:37:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-30 01:37:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 18:50:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 18:51:18
ComboFix-quarantined-files.txt 2008-01-08 08:51:14
ComboFix2.txt 2008-01-07 11:40:14
ComboFix3.txt 2008-01-07 09:29:38
ComboFix4.txt 2008-01-06 07:55:22
ComboFix5.txt 2008-01-06 07:44:24
.
2007-12-24 03:19:29 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:46 PM, on 8/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HpMmKbd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Administrator\Start Menu\Programs\utilites\HijackThis\Copy of HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395581546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395571953
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6780 bytes

What next???????
Regards Steve

Edited by stevefrmoz, 08 January 2008 - 04:06 AM.


#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 08 January 2008 - 04:59 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\msxfcg32.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#10 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 12 January 2008 - 06:44 AM

Hi Ritchie
tried ot move it i just get error msg1 'error creating log file'
i hit ok and get second error msg 'error creating restore file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:21 PM, on 12/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\HpMmKbd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\steved\Desktop\fsec\f-bot.exe
C:\Administrator\Start Menu\Programs\utilites\HijackThis\Copy of HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/?wa=wsignin1.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395581546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395571953
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7175 bytes


Scanning Report
Saturday, January 12, 2008 10:51:27 - 19:16:41
Computer name: STEVE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 181 malware found
Backdoor.Win32.IRCBot.aro (virus)
C:\WINDOWS\Fonts\Setup.exe (Renamed & Submitted)
C:\WINDOWS\Fonts\x.zip\Setup.exe
Backdoor.Win32.IRCBot.dd (virus)
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D.tmp (Renamed & Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System (Disinfected)
Trojan-Dropper.Win32.Agent.dgo (virus)
C:\Program Files\Trend Micro\Internet Security\Quarantine\1B.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\20.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\21.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\22.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\2B.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\2E.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\2F.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\4E.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\6.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\7.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\8.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\9.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\A.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr.exe (Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_354.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_364.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_598.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_84c.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_8a0.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_a8c.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_b10.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_b14.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_b1c.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_b2c.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_c40.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_c44.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_cac.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\awtsr_e7c.VIR (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\B.tmp (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\TMAS_OEMon.exe (Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005795.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005796.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005802.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005804.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005827.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005907.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005908.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005912.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005986.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005988.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005989.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005990.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0005991.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0006080.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0006082.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0006083.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0006084.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0006085.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007112.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007222.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007242.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007245.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007246.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007263.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007265.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007266.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007267.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007287.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007289.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007290.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007291.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0007298.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008308.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008310.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008311.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008312.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008330.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008331.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008332.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008354.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008356.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008357.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008391.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008392.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008393.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008397.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008413.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008415.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008416.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008419.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008464.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008466.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008467.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008478.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008492.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008493.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008494.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008531.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008540.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008578.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008580.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008581.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008622.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008624.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008639.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008642.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008643.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008664.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008675.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008692.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008693.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008695.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008705.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008720.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008723.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008724.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008733.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008747.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008749.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008750.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008774.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008775.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\A0008776.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\AdVantage.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.exe.tmp.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB1 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB2 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB3 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB4 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB5 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB6 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB7 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB8 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\ctfmon.RB9 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB1 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB2 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB3 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB4 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB5 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB6 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB7 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\jusched.RB8 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB1 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB2 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB3 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB4 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB5 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB6 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB7 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\LClock.RB8 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\mrofinu1188.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msconfig.exe.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MSConfig.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MSConfig.RB1 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MSConfig.RB2 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MSConfig.RB3 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MSConfig.RB4 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msconfig.RB5 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msconfig.RB6 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msconfig.RB7 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\msconfig.RB8 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\MsnMsgr.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\OLD17.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\qttask .RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\qttask.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX2F.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX32.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX37.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX3A.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX3D.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\RCX42.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\svchost.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\svchost.RB1 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TMAS_OEMon.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB0 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB1 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB2 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB3 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB4 (Renamed & Submitted)
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\UfSeAgnt.RB5 (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 449535
System: 3540
Not scanned: 50
Actions:
Disinfected: 2
Renamed: 176
Deleted: 0
None: 3
Submitted: 178
Files not scanned:
xc0Wi~WRS0000.TMP
C:\DOCUMENTS AND SETTINGS\STEVED\LOCAL SETTINGS\TEMP\~DF5802.TMP
C:\DOCUMENTS AND SETTINGS\STEVED\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\steved\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Brokenlink.zip\HijackThis.lnk
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommonDialogs.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage.zip\ffext.mod
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage1.zip\AdVUninst.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage2.zip\AdVantage.htm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage3.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage4.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterUpdateDisableNotify.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterUpdateDisableNotify1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Startupfiledoesnotexist.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Startupfiledoesnotexist1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip\removalfile.bat
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip\svchost.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation.zip\sbRecovery.reg
C:\Administrator\My Documents\flc.xps\Documents/1/Metadata/Page1_Thumbnail.JPG
C:\Administrator\Desktop\Folder\New Folder\Windows_Genuine_Advantage_Validati

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2008-01-11
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-11-28
F-Secure Libra: 2.4.2, 2008-01-11
F-Secure Orion: 1.2.37, 2008-01-11
F-Secure Pegasus: 1.19.0, 2007-11-31
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

how come trendmicro internet security 2008 did not find these 181 instances
still no closer pc is as slow as ever
regards steve
what next?

Edited by stevefrmoz, 12 January 2008 - 06:45 AM.


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 12 January 2008 - 07:27 AM

how come trendmicro internet security 2008 did not find these 181 instances

Trend Micro\Internet Security did find and Quarantine them all but one.

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Delete the entire contents of these folders:
C:\Program Files\Trend Micro\Internet Security\Quarantine
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


F-Secure Online Virus Scanner [Renamed & Submitted] the following:
Backdoor.Win32.IRCBot.aro (virus)
C:\WINDOWS\Fonts\Setup.exe (Renamed & Submitted)

Even though F-Secure Online Virus Scanner [Renamed & Submitted] Backdoor.Win32.IRCBot.aro,a backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

Let me know how you wish to proceed in your next reply.

Edited by RichieUK, 12 January 2008 - 07:28 AM.

Posted Image
Posted Image

#12 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 15 January 2008 - 05:16 AM

i have put the org windows dick in and selected upgrade
pc is still slow what other logs can i send
i apericiate your time

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 January 2008 - 07:37 AM

Download Combofix by sUBs again and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#14 stevefrmoz

stevefrmoz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 17 January 2008 - 04:50 AM

Hi Ritche
logs as requested
ComboFix 08-01-09.2 - steved 2008-01-16 19:09:43.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.158 [GMT 10:00]
Running from: C:\Documents and Settings\steved\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 19:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 20:50 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2008-01-14 20:50 . 2006-12-11 01:15 498,176 --a------ C:\WINDOWS\system32\logon.scr
2008-01-14 20:50 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2008-01-14 20:46 . 2008-01-14 20:46 76,214 --a------ C:\WINDOWS\Icon_4.ico
2008-01-14 11:27 . 2008-01-14 11:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 11:27 . 2008-01-14 11:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-13 21:51 . 2008-01-13 21:52 4,030 --a------ C:\fix.reg
2008-01-13 21:27 . 2006-10-05 00:06 1,197,294 -----c--- C:\WINDOWS\system32\DllCache\sysmain.sdb
2008-01-13 21:27 . 2006-10-05 00:06 764,868 -----c--- C:\WINDOWS\system32\DllCache\apph_sp.sdb
2008-01-13 21:27 . 2006-10-05 00:06 217,118 -----c--- C:\WINDOWS\system32\DllCache\apphelp.sdb
2008-01-13 15:00 . 2006-10-12 21:09 256,512 -----c--- C:\WINDOWS\system32\DllCache\agentsvr.exe
2008-01-13 15:00 . 2006-10-13 00:02 42,496 -----c--- C:\WINDOWS\system32\DllCache\agentdp2.dll
2008-01-13 14:07 . 2008-01-13 14:07 76,214 --a------ C:\WINDOWS\Icon_3.ico
2008-01-13 13:22 . 2008-01-13 13:22 78,942 --a------ C:\WINDOWS\Icon_2.ico
2008-01-13 13:14 . 2007-10-11 09:55 6,065,664 -----c--- C:\WINDOWS\system32\DllCache\ieframe.dll
2008-01-13 13:14 . 2007-07-01 13:31 2,455,488 -----c--- C:\WINDOWS\system32\DllCache\ieapfltr.dat
2008-01-13 13:14 . 2007-07-01 13:36 991,232 -----c--- C:\WINDOWS\system32\DllCache\ieframe.dll.mui
2008-01-13 13:14 . 2007-10-11 09:55 459,264 -----c--- C:\WINDOWS\system32\DllCache\msfeeds.dll
2008-01-13 13:14 . 2007-10-11 09:55 383,488 -----c--- C:\WINDOWS\system32\DllCache\ieapfltr.dll
2008-01-13 13:14 . 2007-10-11 09:55 267,776 -----c--- C:\WINDOWS\system32\DllCache\iertutil.dll
2008-01-13 13:14 . 2007-10-11 09:55 63,488 -----c--- C:\WINDOWS\system32\DllCache\icardie.dll
2008-01-13 13:14 . 2007-10-11 09:55 52,224 -----c--- C:\WINDOWS\system32\DllCache\msfeedsbs.dll
2008-01-13 13:14 . 2007-10-10 20:59 13,824 -----c--- C:\WINDOWS\system32\DllCache\ieudinit.exe
2008-01-13 12:56 . 2006-08-21 19:14 128,896 -----c--- C:\WINDOWS\system32\DllCache\fltmgr.sys
2008-01-13 12:56 . 2006-08-21 19:14 23,040 -----c--- C:\WINDOWS\system32\DllCache\fltmc.exe
2008-01-13 12:56 . 2006-08-21 22:21 16,896 -----c--- C:\WINDOWS\system32\DllCache\fltlib.dll
2008-01-13 12:52 . 2006-10-18 21:47 2,450,944 -----c--- C:\WINDOWS\system32\DllCache\wmvcore.dll
2008-01-13 12:52 . 2007-07-09 23:16 582,656 -----c--- C:\WINDOWS\system32\DllCache\rpcrt4.dll
2008-01-13 12:26 . 2008-01-13 12:26 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-13 12:26 . 2008-01-13 12:26 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-13 12:26 . 2008-01-13 12:26 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-13 12:26 . 2008-01-13 12:26 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-13 12:26 . 2008-01-13 12:26 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-13 12:26 . 2008-01-13 12:26 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-13 12:16 . 2002-08-29 22:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-13 12:16 . 2002-08-29 22:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-13 12:16 . 2008-01-13 22:16 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-13 10:12 . 2008-01-13 10:12 <DIR> d-------- C:\Program Files\Belarc
2008-01-13 10:12 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-01-12 22:00 . 2008-01-15 20:29 <DIR> d-------- C:\Documents and Settings\steved\Application Data\skypePM
2008-01-12 22:00 . 2008-01-12 22:00 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-12 21:59 . 2008-01-12 21:59 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-12 21:59 . 2008-01-12 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-06 17:52 . 2008-01-06 17:52 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-04 14:04 . 2008-01-14 11:03 <DIR> d-------- C:\Program Files\Incomplete
2008-01-04 13:31 . 2008-01-04 13:31 <DIR> d-------- C:\Program Files\CCleaner
2008-01-04 12:57 . 2008-01-04 13:14 <DIR> d-------- C:\Documents and Settings\steved\Contacts
2008-01-04 12:51 . 2008-01-08 18:44 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-04 10:48 . 2008-01-04 10:48 <DIR> d-------- C:\Documents and Settings\steved\LimeWire Store Purchased
2008-01-02 10:21 . 2008-01-02 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-02 10:21 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-02 10:21 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-02 10:20 . 2008-01-04 16:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\MSECache
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\IE Doctor
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-01 18:33 . 2007-12-30 12:42 211 --a------ C:\TISSupBI.bak
2007-12-28 12:24 . 2007-12-28 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-26 20:16 . 2008-01-02 10:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-26 18:40 . 2006-11-08 18:51 62,336 --a------ C:\WINDOWS\system32\drivers\rspndr.sys
2007-12-26 18:40 . 2006-11-08 18:51 10,752 --a------ C:\WINDOWS\system32\rspndr.exe
2007-12-26 13:33 . 2007-12-26 13:44 <DIR> d-------- C:\New Folder (2)
2007-12-26 11:35 . 2007-12-26 11:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 17:25 . 2007-12-25 17:25 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Earthsim
2007-12-24 13:07 . 2008-01-04 16:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-12-24 12:25 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-24 12:25 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-24 11:34 . 2008-01-02 10:06 <DIR> d-------- C:\Documents and Settings\steved\.housecall6.6
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\WINDOWS\Sun
2007-12-24 10:34 . 2008-01-14 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 10:22 . 2007-12-24 10:22 <DIR> d--h----- C:\BJPrinter
2007-12-24 10:22 . 2003-02-28 14:30 100,352 --a------ C:\WINDOWS\system32\CNMLM50.DLL
2007-12-24 10:22 . 2003-02-28 14:30 5,632 --a------ C:\WINDOWS\system32\CNMVS50.DLL
2007-12-24 10:19 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iTunes
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Program Files\iPod
2007-12-24 10:06 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Apple Computer
2007-12-24 10:05 . 2008-01-08 18:44 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 10:05 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-24 10:04 . 2008-01-04 13:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-24 10:04 . 2007-12-24 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 10:04 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-24 09:49 . 2008-01-13 22:12 <DIR> dr-hsc--- C:\WINDOWS\system32\DllCache
2007-12-24 09:46 . 2007-12-24 09:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-24 09:03 . 2007-12-24 09:03 <DIR> d-------- C:\Documents and Settings\steved\Application Data\ViStart
2007-12-24 09:01 . 2007-12-24 09:01 <DIR> d-------- C:\Documents and Settings\steved\Application Data\Styler
2007-12-24 09:00 . 2008-01-14 20:50 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-12-24 09:00 . 2008-01-13 13:25 <DIR> d-------- C:\Program Files\Styler
2007-12-24 09:00 . 2007-11-30 05:56 329,029 --a------ C:\WINDOWS\system32\viwc.exe
2007-12-24 08:57 . 2007-12-24 08:57 78,942 --a------ C:\WINDOWS\Icon_1.ico
2007-12-24 08:56 . 2008-01-14 20:51 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-12-24 08:56 . 2008-01-14 20:52 <DIR> d-------- C:\VTPFiles
2007-12-24 08:56 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 10:51 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-04 01:37 118,342 ----a-w C:\WINDOWS\Fonts\x.zip
2007-12-25 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Earthsim
2007-12-23 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 07:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 15:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-23 15:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-23 15:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-23 15:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-07 21:17 1393928]
"HpMmKbd"="HpMmKbd.exe" [2002-02-08 14:16 147456 C:\WINDOWS\system32\HPMMKBD.EXE]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 57344 C:\WINDOWS\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]
"nlpo_01"="advpack.dll" [2007-10-11 09:55 124928 C:\WINDOWS\system32\advpack.dll]
"nlpo_02"="advpack.dll" [2007-10-11 09:55 124928 C:\WINDOWS\system32\advpack.dll]
"nlpo_04"="advpack.dll" [2007-10-11 09:55 124928 C:\WINDOWS\system32\advpack.dll]
"nlpo_05"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlpo_11"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlpo_12"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlpo_13"="advpack.dll" [2007-10-11 09:55 124928 C:\WINDOWS\system32\advpack.dll]
"nlpo_14"="advpack.dll" [2007-10-11 09:55 124928 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-04 00:56 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]

R3 hpmmkbd;HP Extended Keyboard;C:\WINDOWS\system32\DRIVERS\hpmmkbd.sys [1999-09-29 09:40]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 13:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 05:11:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 01:37:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-30 01:37:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:12:51
ComboFix-quarantined-files.txt 2008-01-16 09:12:49
.
2008-01-13 11:58:29 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:43 PM, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\HpMmKbd.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Administrator\Start Menu\Programs\utilites\HijackThis\Copy of HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200192196307
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198395571953
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7175 bytes
How are we going
regards steve

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 17 January 2008 - 08:48 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users