Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Notedad And (probably) Much More


  • This topic is locked This topic is locked
26 replies to this topic

#1 pat666

pat666

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 04 January 2008 - 02:38 AM

Hello all:
This may be a lost cause but I'm hoping someone can help me clean all the stuff that found it's way on my son's pc! I was referred to this forum from my previous post started Jan. 2. I think we exhausted the possibilities there.

We first noticed a lot of pop ups when we were on the net. Since then a yellow triangle with an exclamation point in it has shown up in the tray and pops up a message continually which says the pc is infected and I need up-to-date antispyware that it will download for me - the exact message is in that first post. I found that I can get rid of the icon by looking at the processes running and killing the one that shouldn't be there. It's always a gibberish string of letter and the name changes with each restart of the pc.

I've also noticed that text file properties have been changed to "open with Notedad" and if I change it to NotePad it will change back to Notedad even in safe mode. When the pc starts PC-cillian pops up a window that says it found a trojan, Worm Sober.B and says it has cleaned it, but the next time se start the pc that same window will appear with the same trojan name. Also, I ran msconfig and looked in the start up tab and there are a couple things that I don't remember being there before (I might be mistaken though) - Spydefender and iexplorer.dll. I did a search on the pc for Spydefender and found nothing.

I have run House Call online and let it remove everything it found. Since then we have not been on the internet with it - I am on a second pc for these posts. Since taking the pc off line I have run: SUPERAntispyware, AdAware, PC-cillin, Vundofix, A-Squared Free, Stinger, SmitfraudFix, SDFix, ATF Cleaner and, of course, HijackThis although just to create the log file.

I'm sorry this post is so long, but I wanted to be as thorough as possible.

Thanks for your help. Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:10 PM, on 1/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Cpqs\Scom\srmclean.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\WayneM\Application Data\ejqnshi.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - F:\Program files\Mp3 player\AMVConverter\grab.html
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcddeb - efcddeb.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 10570 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 04 January 2008 - 06:53 PM

Hello pat666,

Looks like you have several nasty infections on this computer so this will take several steps.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************
Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\WayneM\Application Data\ejqnshi.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O20 - Winlogon Notify: efcddeb - efcddeb.dll (file missing)
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)



*******************************************

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\IExplorer.dll
    C:\Documents and Settings\WayneM\Application Data\ejqnshi.exe
    C:\Program Files\SpyDefender Pro\SpyDefender.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log the OTMoveIt log and tell me how your computer is running.
We still have the nasty whataboutadog infection to remove.

Edited by SifuMike, 04 January 2008 - 07:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 05 January 2008 - 03:22 AM

Thanks for helping me SifuMike.

The computer seems to be running fine after following your directions. The annoying icon in the tray and the pop up warning message is gone. Everything looks great! I don't know if this is important, but when I was fixing the items you gave me in HijackThis, the entry 04-HKLM\...\Run:[IESet] IExplorer.dll .dbt was not there and I haven't changed anything since the first log was posted. Other than that everything went perfectly. Below are the OTMoveIt results and the new HijackThis log.

OTMoveIt results:

File/Folder C:\WINDOWS\System32\IExplorer.dll not found.
C:\Documents and Settings\WayneM\Application Data\ejqnshi.exe moved successfully.
File/Folder C:\Program Files\SpyDefender Pro\SpyDefender.exe not found.

Created on 01/05/2008 01:43:16

******************************************************************************

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:02 AM, on 1/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Cpqs\Scom\srmclean.exe
C:\WINDOWS\System32\PSDrvCheck.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\ImageStudio\ISStart.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - F:\Program files\Mp3 player\AMVConverter\grab.html
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 9099 bytes

*******************************************************************************

I am ready for the next step! :thumbsup:
By the way, what is "whataboutadog"?

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 05 January 2008 - 01:44 PM

Hello pat666,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O3 - Toolbar: (no name) - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)



Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixServices.bat


@echo off
sc stop msCMTSrvc
sc delete msCMTSrvc
exit

Double click FixServices.bat. A window will open and close. This is normal.

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

*******************************************

Reboot your computer, post a new Hijackthis log

By the way, what is "whataboutadog"?


These two items in your log show the whataboutadog caused by AWF trojan.
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com

It replaces legitimate files that are common on most computers with an infected files. We will deal with that shortly.

Edited by SifuMike, 05 January 2008 - 01:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 05 January 2008 - 05:18 PM

I checked for Viewpoint manager and it does not appear in "Add or Remove Programs" nor is there a folder for it. I did a search for the file viewpoint and found Viewpoint.exe in C:\Program files\AIM95\Sysfiles. I deleted the file although my son uses AIM and my understanding is that aol will download it automatically if not found - very disturbing.

In HijackThis I did fix one additional entry that I assumed you meant to list. 04-HKLM\...\run: [viewmgr] C:\Program files\Viewpoint\viewpoint Manager\viewmgr.exe. I hope that was okay and won't mess things up.


Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:04 PM, on 1/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Cpqs\Scom\srmclean.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - F:\Program files\Mp3 player\AMVConverter\grab.html
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 8218 bytes


Thanks. I hope it's starting to look better!

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 05 January 2008 - 05:53 PM

Hi pat666,

In HijackThis I did fix one additional entry that I assumed you meant to list. 04-HKLM\...\run: [viewmgr] C:\Program files\Viewpoint\viewpoint Manager\viewmgr.exe. I hope that was okay and won't mess things up.


That is OK.



Now we start removing the AWF (whataboutadog) malware.

Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 05 January 2008 - 05:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 05 January 2008 - 07:58 PM

Hi SifuMike:

Here's the report from FindAWF keep doing your magic!


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 01/05/2008
The current time is: 18:51:47.04


bak folders found
~~~~~~~~~~~


Directory of C:\CPQS\SCOM\BAK

07/24/2001 03:34 PM 36,864 srmclean.exe
1 File(s) 36,864 bytes

Directory of C:\PROGRA~1\MIF2B0~1\BAK

07/13/2000 01:00 PM 311,350 WksSb.exe
1 File(s) 311,350 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/10/2004 03:26 PM 406,016 PSDrvCheck.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

09/11/2002 12:58 PM 155,648 ISStart.exe
09/11/2002 12:57 PM 45,056 LogiTray.exe
2 File(s) 200,704 bytes

Directory of C:\PROGRA~1\RAZER\COPPER~1\BAK

10/08/2005 04:27 PM 155,648 razerhid.exe
06/09/2007 07:33 PM 36 RazerTe.ini
2 File(s) 155,684 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

08/25/2006 11:25 AM 3,112,960 pccguide.exe
1 File(s) 3,112,960 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

08/18/2006 01:06 PM 315,392 TMAS_OEMon.exe
1 File(s) 315,392 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 4 2007 "C:\cpqs\scom\srmclean.exe"
36864 Jul 24 2001 "C:\cpqs\scom\bak\srmclean.exe"
28172 Oct 4 2007 "C:\Program Files\Microsoft Works\WksSb.exe"
311350 Jul 13 2000 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
311350 Jul 13 2000 "C:\Program Files\COMPAQ\Works6.0\PFiles\MSWorks\wkssb.exe"
28172 Oct 4 2007 "C:\WINDOWS\system32\PSDrvCheck.exe"
406016 Mar 10 2004 "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
28172 Oct 4 2007 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Sep 11 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
28172 Oct 4 2007 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
45056 Sep 11 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
28172 Oct 4 2007 "C:\Program Files\Razer\Copperhead\razerhid.exe"
155648 Oct 8 2005 "C:\Program Files\Razer\Copperhead\bak\razerhid.exe"
4230 Apr 4 2007 "C:\Program Files\Razer\Copperhead\RazerTe.ini"
36 Jun 9 2007 "C:\Program Files\Razer\Copperhead\bak\RazerTe.ini"
819262 Nov 25 2005 "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
3112960 Aug 25 2006 "C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe"
315392 Aug 18 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak\TMAS_OEMon.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 05 January 2008 - 10:21 PM

Hi pat666,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\cpqs\scom\bak\srmclean.exe"
"C:\Program Files\Microsoft Works\bak\WksSb.exe"
"C:\WINDOWS\system32\bak\PSDrvCheck.exe"
"C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
"C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
"C:\Program Files\Razer\Copperhead\bak\razerhid.exe"
"C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe"
"C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak\TMAS_OEMon.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 05 January 2008 - 10:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 06 January 2008 - 12:22 AM

Hi SifuMike:

Here is the new FindAWF log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 01/05/2008
The current time is: 23:15:35.39


bak folders found
~~~~~~~~~~~


Directory of C:\CPQS\SCOM\BAK

07/24/2001 03:34 PM 36,864 srmclean.exe
1 File(s) 36,864 bytes

Directory of C:\PROGRA~1\MIF2B0~1\BAK

07/13/2000 01:00 PM 311,350 WksSb.exe
1 File(s) 311,350 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/10/2004 03:26 PM 406,016 PSDrvCheck.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

09/11/2002 12:58 PM 155,648 ISStart.exe
09/11/2002 12:57 PM 45,056 LogiTray.exe
2 File(s) 200,704 bytes

Directory of C:\PROGRA~1\RAZER\COPPER~1\BAK

10/08/2005 04:27 PM 155,648 razerhid.exe
06/09/2007 07:33 PM 36 RazerTe.ini
2 File(s) 155,684 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

08/25/2006 11:25 AM 3,112,960 pccguide.exe
1 File(s) 3,112,960 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

08/18/2006 01:06 PM 315,392 TMAS_OEMon.exe
1 File(s) 315,392 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

36864 Jul 24 2001 "C:\cpqs\scom\srmclean.exe"
36864 Jul 24 2001 "C:\cpqs\scom\bak\srmclean.exe"
311350 Jul 13 2000 "C:\Program Files\Microsoft Works\WksSb.exe"
311350 Jul 13 2000 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
311350 Jul 13 2000 "C:\Program Files\COMPAQ\Works6.0\PFiles\MSWorks\wkssb.exe"
406016 Mar 10 2004 "C:\WINDOWS\system32\PSDrvCheck.exe"
406016 Mar 10 2004 "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
155648 Sep 11 2002 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Sep 11 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
45056 Sep 11 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
45056 Sep 11 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
155648 Oct 8 2005 "C:\Program Files\Razer\Copperhead\razerhid.exe"
155648 Oct 8 2005 "C:\Program Files\Razer\Copperhead\bak\razerhid.exe"
4230 Apr 4 2007 "C:\Program Files\Razer\Copperhead\RazerTe.ini"
36 Jun 9 2007 "C:\Program Files\Razer\Copperhead\bak\RazerTe.ini"
3112960 Aug 25 2006 "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
819262 Nov 25 2005 "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
3112960 Aug 25 2006 "C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe"
315392 Aug 18 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
315392 Aug 18 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak\TMAS_OEMon.exe"


end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 06 January 2008 - 11:34 AM

Hi pat666,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer  <==== Important



Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\cpqs\scom\bak
C:\Program Files\Microsoft Works\bak
C:\WINDOWS\system32\bak
C:\Program Files\Logitech\ImageStudio\bak
C:\Program Files\Razer\Copperhead\bak
C:\Program Files\Trend Micro\Internet Security 2007\bak
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 06 January 2008 - 01:08 PM

Hi SifuMike,

Here is the new log from FindAWF. It's awfully short (short is good, I hope):


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 01/06/2008
The current time is: 12:01:09.93


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 06 January 2008 - 01:52 PM

Hi pat666,

Good job. :blink:

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

I think we have killed the AWF infection. :thumbsup:

 Let's run ComboFix.

Disable your TrendMicro Anitvirus, as it will prevent ComboFix from working.


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

 Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 06 January 2008 - 02:52 PM

Hi SifuMike:

Light at the end of the tunnel! Here are the new reports.

Combofix:

ComboFix 08-01-07.1 - WayneM 2008-01-06 13:34:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.641 [GMT -6:00]
Running from: C:\Documents and Settings\WayneM\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\WayneM\Application Data\PPPATC~1
C:\Documents and Settings\WayneM\Application Data\PPPATC~1\?ppPatch\
C:\Program Files\Common Files\ymante~1
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NPF
-------\core
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 13:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 23:15 . 2004-03-10 15:26 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2008-01-05 01:25 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\jzcshanaka.exe
2008-01-05 01:10 . 2008-01-05 01:10 <DIR> d-------- C:\Program Files\CCleaner
2008-01-04 21:53 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\tmwqq.exe
2008-01-04 01:19 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\ejj.exe
2008-01-03 15:44 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\cygjabnm.exe
2008-01-03 15:32 . 2008-01-03 15:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-03 15:15 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\jwzui.exe
2008-01-03 00:30 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\pfvp.exe
2008-01-02 23:14 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\xfmyj.exe
2008-01-02 22:56 . 2008-01-02 23:10 4,012 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-02 18:23 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\vqpheqwa.exe
2008-01-02 18:15 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\xyxgut.exe
2008-01-02 17:29 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\guh.exe
2008-01-02 07:59 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\sponxttisgt.exe
2008-01-02 07:54 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\buhfs.exe
2008-01-02 00:56 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\ywao.exe
2008-01-01 22:20 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\edwzqzeyyoef.exe
2008-01-01 22:15 . 2008-01-02 00:42 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-01 19:04 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\pdvafrecgwpc.exe
2008-01-01 16:27 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\jsscrbnri.exe
2008-01-01 16:17 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\tzkctluwmfme.exe
2008-01-01 16:09 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-01 16:00 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\pjcwm.exe
2008-01-01 14:00 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\qwkkfs.exe
2008-01-01 10:55 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\cripne.exe
2008-01-01 10:53 . 2008-01-01 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-01-01 07:46 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\zzchj.exe
2008-01-01 02:50 . 2008-01-01 02:50 19,456 --a------ C:\winzfhw.exe
2008-01-01 02:50 . 2008-01-01 02:50 19,456 --a------ C:\Documents and Settings\WayneM\Application Data\cjpehl.exe
2007-12-27 21:32 . 2007-12-27 21:32 15 --a------ C:\WINDOWS\FB87-62C2-2E26-52EB.dat
2007-12-27 10:44 . 2007-12-27 10:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-27 03:20 . 2007-12-27 03:20 <DIR> d-------- C:\Documents and Settings\WayneM\Application Data\DivX
2007-12-27 00:24 . 2007-12-27 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-26 23:52 . 2007-12-26 23:52 <DIR> d-------- C:\VundoFix Backups
2007-12-26 14:19 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-23 21:15 . 2008-01-01 02:49 20,480 --a------ C:\WINDOWS\quit.exe
2007-12-22 23:31 . 2007-12-27 11:52 <DIR> d--hs---- C:\WINDOWS\Ym9i
2007-12-22 23:31 . 2007-12-23 00:09 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-22 23:31 . 2007-12-23 00:09 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-22 23:31 . 2007-12-26 15:22 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-22 23:31 . 2008-01-03 20:35 <DIR> d-------- C:\Temp
2007-12-16 13:15 . 2007-12-21 13:49 16 --a------ C:\WINDOWS\popcinfot.dat
2007-12-16 13:15 . 2007-12-16 13:15 0 --a------ C:\WINDOWS\popcreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 18:01 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 06:36 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-01 22:24 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 19:18 --------- d-----w C:\Program Files\MSN Messenger
2008-01-01 08:50 --------- d-----w C:\Documents and Settings\WayneM\Application Data\Xfire
2007-12-27 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-27 09:20 --------- d-----w C:\Program Files\DivX
2007-12-27 01:34 --------- d-----w C:\Documents and Settings\WayneM\Application Data\Registry Booster
2007-12-20 22:00 --------- d-s---w C:\Program Files\Xfire
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-16 22:58 --------- d-----w C:\Program Files\Ventrilo
2007-11-16 22:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 18:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2005-09-25 07:26 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34 36864]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 15:26 406016]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" [2005-11-25 20:51 819262]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [ ]
"nwiz"="nwiz.exe" [2004-10-29 15:50 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 15:50 86016]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 15:50 4620288]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [ ]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 13:00 311350]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57 45056]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ]
"CARPService"="carpserv.exe" [2002-07-08 18:37 4608 C:\WINDOWS\system32\carpserv.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPort.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"LVCOMS"=C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

R2 BCMNTIO;BCMNTIO;F:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 MAPMEM;MAPMEM;F:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R3 C4C_BSC2;C4C_BSC2;C:\WINDOWS\System32\DRIVERS\C4C_BSC2.sys [2002-07-08 18:32]
R3 SaiH8000;SaiH8000;C:\WINDOWS\System32\DRIVERS\SaiH8000.sys [2004-07-29 20:25]
S3 asbp2poa;asbp2poa;C:\DOCUME~1\WayneM\LOCALS~1\Temp\asbp2poa.sys []
S3 DCamUSBNW800;CIF USB Camera (2110);C:\WINDOWS\System32\DRIVERS\pcam800.sys [2002-08-06 03:47]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\DUBE100.sys [2002-07-30 13:51]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\System32\DRIVERS\nuvvid2.sys [2001-12-03 11:55]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\System32\Drivers\Razerlow.sys [2005-08-12 10:11]
S4 AloPort;AloPort;C:\WINDOWS\System32\Drivers\AloPort.sys [1617-12-04 00:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 13:37:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106]
-> C:\WINDOWS\system32\xfire_lsp_10650.dll
.
Completion time: 2008-01-07 13:39:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 19:39:07



HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:19 PM, on 1/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - F:\Program files\Mp3 player\AMVConverter\grab.html
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 8116 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 06 January 2008 - 04:31 PM

Hi pat666,

Boy, this computer was really infected! But we are making progress.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
C:\Documents and Settings\WayneM\Application Data\jzcshanaka.exe 
C:\Documents and Settings\WayneM\Application Data\tmwqq.exe
C:\Documents and Settings\WayneM\Application Data\ejj.exe
C:\Documents and Settings\WayneM\Application Data\cygjabnm.exe
C:\Documents and Settings\WayneM\Application Data\jwzui.exe
C:\Documents and Settings\WayneM\Application Data\pfvp.exe
C:\Documents and Settings\WayneM\Application Data\xfmyj.exe
C:\Documents and Settings\WayneM\Application Data\vqpheqwa.exe
C:\Documents and Settings\WayneM\Application Data\xyxgut.exe
C:\Documents and Settings\WayneM\Application Data\guh.exe
C:\Documents and Settings\WayneM\Application Data\sponxttisgt.exe
C:\Documents and Settings\WayneM\Application Data\buhfs.exe
C:\Documents and Settings\WayneM\Application Data\ywao.exe
C:\Documents and Settings\WayneM\Application Data\edwzqzeyyoef.exe
C:\Documents and Settings\WayneM\Application Data\pdvafrecgwpc.exe
C:\Documents and Settings\WayneM\Application Data\jsscrbnri.exe
C:\Documents and Settings\WayneM\Application Data\tzkctluwmfme.exe
C:\Documents and Settings\WayneM\Application Data\pjcwm.exe
C:\Documents and Settings\WayneM\Application Data\qwkkfs.exe
C:\Documents and Settings\WayneM\Application Data\cripne.exe
C:\Documents and Settings\WayneM\Application Data\zzchj.exe
C:\winzfhw.exe
C:\Documents and Settings\WayneM\Application Data\cjpehl.exe
C:\WINDOWS\FB87-62C2-2E26-52EB.dat
C:\WINDOWS\quit.exe

Folder:: 
C:\VundoFix Backups
C:\WINDOWS\Ym9i
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\dj2
C:\WINDOWS\system32\ardCo02


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 pat666

pat666
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 06 January 2008 - 05:03 PM

Hello SifuMike.

I hope I wasn't too premature when I mentioned the "light". lol. Here are the new logs:


Combofix:

ComboFix 08-01-07.1 - WayneM 2008-01-07 15:50:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.677 [GMT -6:00]
Running from: C:\Documents and Settings\WayneM\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\WayneM\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\WayneM\Application Data\buhfs.exe
C:\Documents and Settings\WayneM\Application Data\cjpehl.exe
C:\Documents and Settings\WayneM\Application Data\cripne.exe
C:\Documents and Settings\WayneM\Application Data\cygjabnm.exe
C:\Documents and Settings\WayneM\Application Data\edwzqzeyyoef.exe
C:\Documents and Settings\WayneM\Application Data\ejj.exe
C:\Documents and Settings\WayneM\Application Data\guh.exe
C:\Documents and Settings\WayneM\Application Data\jsscrbnri.exe
C:\Documents and Settings\WayneM\Application Data\jwzui.exe
C:\Documents and Settings\WayneM\Application Data\jzcshanaka.exe
C:\Documents and Settings\WayneM\Application Data\pdvafrecgwpc.exe
C:\Documents and Settings\WayneM\Application Data\pfvp.exe
C:\Documents and Settings\WayneM\Application Data\pjcwm.exe
C:\Documents and Settings\WayneM\Application Data\qwkkfs.exe
C:\Documents and Settings\WayneM\Application Data\sponxttisgt.exe
C:\Documents and Settings\WayneM\Application Data\tmwqq.exe
C:\Documents and Settings\WayneM\Application Data\tzkctluwmfme.exe
C:\Documents and Settings\WayneM\Application Data\vqpheqwa.exe
C:\Documents and Settings\WayneM\Application Data\xfmyj.exe
C:\Documents and Settings\WayneM\Application Data\xyxgut.exe
C:\Documents and Settings\WayneM\Application Data\ywao.exe
C:\Documents and Settings\WayneM\Application Data\zzchj.exe
C:\WINDOWS\FB87-62C2-2E26-52EB.dat
C:\WINDOWS\quit.exe
C:\winzfhw.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\WayneM\Application Data\buhfs.exe
C:\Documents and Settings\WayneM\Application Data\cjpehl.exe
C:\Documents and Settings\WayneM\Application Data\cripne.exe
C:\Documents and Settings\WayneM\Application Data\cygjabnm.exe
C:\Documents and Settings\WayneM\Application Data\edwzqzeyyoef.exe
C:\Documents and Settings\WayneM\Application Data\ejj.exe
C:\Documents and Settings\WayneM\Application Data\guh.exe
C:\Documents and Settings\WayneM\Application Data\jsscrbnri.exe
C:\Documents and Settings\WayneM\Application Data\jwzui.exe
C:\Documents and Settings\WayneM\Application Data\jzcshanaka.exe
C:\Documents and Settings\WayneM\Application Data\pdvafrecgwpc.exe
C:\Documents and Settings\WayneM\Application Data\pfvp.exe
C:\Documents and Settings\WayneM\Application Data\pjcwm.exe
C:\Documents and Settings\WayneM\Application Data\qwkkfs.exe
C:\Documents and Settings\WayneM\Application Data\sponxttisgt.exe
C:\Documents and Settings\WayneM\Application Data\tmwqq.exe
C:\Documents and Settings\WayneM\Application Data\tzkctluwmfme.exe
C:\Documents and Settings\WayneM\Application Data\vqpheqwa.exe
C:\Documents and Settings\WayneM\Application Data\xfmyj.exe
C:\Documents and Settings\WayneM\Application Data\xyxgut.exe
C:\Documents and Settings\WayneM\Application Data\ywao.exe
C:\Documents and Settings\WayneM\Application Data\zzchj.exe
C:\VundoFix Backups
C:\WINDOWS\FB87-62C2-2E26-52EB.dat
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\ardCo02
C:\WINDOWS\system32\dj2
C:\WINDOWS\system32\to9
C:\WINDOWS\Ym9i
C:\winzfhw.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 13:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 23:15 . 2004-03-10 15:26 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2008-01-05 01:10 . 2008-01-05 01:10 <DIR> d-------- C:\Program Files\CCleaner
2008-01-03 15:32 . 2008-01-03 15:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-02 22:56 . 2008-01-02 23:10 4,012 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-01 22:15 . 2008-01-02 00:42 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-01 16:09 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-01 10:53 . 2008-01-01 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2007-12-27 10:44 . 2007-12-27 10:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-27 03:20 . 2007-12-27 03:20 <DIR> d-------- C:\Documents and Settings\WayneM\Application Data\DivX
2007-12-27 00:24 . 2007-12-27 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-26 14:19 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-22 23:31 . 2008-01-03 20:35 <DIR> d-------- C:\Temp
2007-12-16 13:15 . 2007-12-21 13:49 16 --a------ C:\WINDOWS\popcinfot.dat
2007-12-16 13:15 . 2007-12-16 13:15 0 --a------ C:\WINDOWS\popcreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 18:01 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 06:36 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-01 22:24 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 19:18 --------- d-----w C:\Program Files\MSN Messenger
2008-01-01 08:50 --------- d-----w C:\Documents and Settings\WayneM\Application Data\Xfire
2007-12-27 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-27 09:20 --------- d-----w C:\Program Files\DivX
2007-12-27 01:34 --------- d-----w C:\Documents and Settings\WayneM\Application Data\Registry Booster
2007-12-20 22:00 --------- d-s---w C:\Program Files\Xfire
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-16 22:58 --------- d-----w C:\Program Files\Ventrilo
2007-11-16 22:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 18:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-11 18:14 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-27 23:31 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2005-09-25 07:26 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2002-11-30 06:19 36,788 ------w C:\WINDOWS\Cursors\pastcpuninst.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_13.38.47.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 19:34:23 262,144 ------w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2008-01-07 21:50:51 262,144 ------w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34 36864]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 15:26 406016]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" [2005-11-25 20:51 819262]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [ ]
"nwiz"="nwiz.exe" [2004-10-29 15:50 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 15:50 86016]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 15:50 4620288]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [ ]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 13:00 311350]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57 45056]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ]
"CARPService"="carpserv.exe" [2002-07-08 18:37 4608 C:\WINDOWS\system32\carpserv.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPort.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"LVCOMS"=C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

R2 BCMNTIO;BCMNTIO;F:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 MAPMEM;MAPMEM;F:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R3 C4C_BSC2;C4C_BSC2;C:\WINDOWS\System32\DRIVERS\C4C_BSC2.sys [2002-07-08 18:32]
R3 SaiH8000;SaiH8000;C:\WINDOWS\System32\DRIVERS\SaiH8000.sys [2004-07-29 20:25]
S3 asbp2poa;asbp2poa;C:\DOCUME~1\WayneM\LOCALS~1\Temp\asbp2poa.sys []
S3 DCamUSBNW800;CIF USB Camera (2110);C:\WINDOWS\System32\DRIVERS\pcam800.sys [2002-08-06 03:47]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\DUBE100.sys [2002-07-30 13:51]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\System32\DRIVERS\nuvvid2.sys [2001-12-03 11:55]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\System32\Drivers\Razerlow.sys [2005-08-12 10:11]
S4 AloPort;AloPort;C:\WINDOWS\System32\Drivers\AloPort.sys [1617-12-04 00:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 15:54:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106]
-> C:\WINDOWS\system32\xfire_lsp_10650.dll
.
Completion time: 2008-01-07 15:55:08
ComboFix-quarantined-files.txt 2008-01-07 21:54:54
ComboFix2.txt 2008-01-07 19:39:36


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:04 PM, on 1/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - F:\Program files\Mp3 player\AMVConverter\grab.html
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 7901 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users