Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Geeby.exe / Associated Dropper


  • This topic is locked This topic is locked
9 replies to this topic

#1 StarLion

StarLion

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 04 January 2008 - 10:04 AM

Between me manually removing some, and AVG scooping some of it off to the vault, I managed to get rid of some of the infection, but I think there's still some lurking as the system is still trying to load an odd-named .exe on bootup (o... something)

So, is there something obvious sticking out of this log i'm missing?

====
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:18 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\DAEMON Tools\daemon.exe
D:\program files\ncsoft\launcher\NCLauncher.exe
D:\Program Files\OpenOffice.org 2.2\program\soffice.exe
D:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [JeticoPFStartup] "E:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [PlayNC Launcher] D:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = D:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187550732140
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187552899781
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BD413EA-96E8-4520-8BBC-1908D0CFAEB8}: NameServer = 85.255.115.102,85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{A51AC2AE-3708-472E-B189-79A76EF6A2B0}: NameServer = 85.255.115.102,85.255.112.178
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.102 85.255.112.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{8BD413EA-96E8-4520-8BBC-1908D0CFAEB8}: NameServer = 85.255.115.102,85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.102 85.255.112.178
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Jetico Personal Firewall server - Jetico, Inc. - E:\Program Files\Jetico\Jetico Personal Firewall\jpfsrv.exe
O23 - Service: NBService - Nero AG - D:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9070 bytes

[EDIT: Helps if i put the WHOLE log up.]

Edited by StarLion, 04 January 2008 - 10:05 AM.


BC AdBot (Login to Remove)

 


#2 StarLion

StarLion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 04 January 2008 - 10:20 AM

Additional: AVG just threw a virus alert up for CLIStart.exe.

[edit: okay... it apparantly has started trying to attach itself to every exe i have, AVG's throwing up alerts all over.]

Edited by StarLion, 04 January 2008 - 10:25 AM.


#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:40 AM

Posted 04 January 2008 - 07:14 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 StarLion

StarLion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 04 January 2008 - 07:59 PM

Hi Sam

Here is my CF log... i should point out that during the reboot process, CF tried to run "swreg.cfexe" but failed.

ComboFix 08-01-04.1 - Marc 2008-01-04 19:49:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1066 [GMT -5:00]
Running from: C:\Documents and Settings\Marc\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\setup.exe
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 09:44 . 2008-01-04 09:44 0 --a------ C:\SDFix.exe
2008-01-04 09:08 . 2008-01-04 09:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-04 09:06 . 2008-01-04 09:19 <DIR> d-------- C:\Documents and Settings\Marc\.housecall6.6
2008-01-04 08:12 . 2008-01-04 08:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 07:59 . 2008-01-04 07:59 <DIR> d-------- C:\VundoFix Backups
2008-01-02 22:34 . 2008-01-02 22:34 <DIR> d-------- C:\Program Files\Ligos
2008-01-02 22:34 . 2000-06-23 14:05 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2008-01-02 22:34 . 2000-06-22 13:09 56,320 --------- C:\WINDOWS\system32\iyvu9_32.dll
2008-01-01 18:03 . 2008-01-01 18:03 6 --a------ C:\WINDOWS\WS_FTP.EXT
2008-01-01 18:03 . 2008-01-01 18:03 0 --a------ C:\WINDOWS\WS_FTP.CNV
2007-12-29 09:28 . 2007-12-29 09:28 0 --a------ C:\WINDOWS\system32\cmmgr32.exe
2007-12-29 09:22 . 2007-12-29 09:22 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\PopUpSentry.com
2007-12-29 09:18 . 2007-12-29 17:24 <DIR> d-------- C:\Program Files\PopUpSentry.com
2007-12-29 09:16 . 2007-12-29 09:16 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2007-12-29 01:06 . 2007-12-31 21:59 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-12-24 21:12 . 2007-12-24 21:12 <DIR> d-------- C:\Program Files\Homestar Runner Desktop Friends
2007-12-24 21:12 . 2007-12-24 21:12 <DIR> d--h----- C:\Program Files\Give4Free Plugin
2007-12-24 21:12 . 2007-12-24 21:12 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-18 08:48 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-12-18 08:48 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-12-18 08:48 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-18 08:48 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-18 08:48 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-18 08:48 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-18 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-18 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-18 08:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-18 08:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-14 18:25 . 2007-12-29 12:48 125 --a------ C:\WINDOWS\fd3.INI
2007-12-14 10:08 . 2007-12-14 10:13 <DIR> d-------- C:\Program Files\EDraw Flowchart
2007-12-13 21:16 . 2007-12-13 21:16 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2007-12-13 21:16 . 2007-12-13 21:16 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-13 21:12 . 2007-12-13 21:14 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2007-12-13 21:12 . 2007-12-13 21:12 <DIR> d-------- C:\Program Files\Microsoft SDKs
2007-12-13 20:34 . 2007-12-13 20:34 <DIR> d-------- C:\Documents and Settings\Marc\VSWebCache
2007-12-12 22:05 . 2007-12-12 22:07 62,117,443 --a------ C:\DATA2.CAB
2007-12-11 17:20 . 2007-12-11 17:20 <DIR> d-------- C:\Program Files\Room Arranger
2007-12-11 17:20 . 2007-12-11 17:20 <DIR> d-------- C:\Program Files\Common Files\ParallelGraphics
2007-12-10 19:11 . 2007-12-10 19:11 <DIR> d-------- C:\Program Files\Atomic Clock Sync
2007-12-10 11:04 . 2007-12-10 11:04 <DIR> d-------- C:\Program Files\Eltima Software
2007-12-09 10:49 . 2008-01-02 08:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-09 10:49 . 2007-12-09 10:49 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 00:54 --------- d-----w C:\Documents and Settings\Marc\Application Data\OpenOffice.org2
2008-01-05 00:38 --------- d-----w C:\Documents and Settings\Marc\Application Data\Azureus
2008-01-04 16:01 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-04 12:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-03 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-03 17:32 --------- d-----w C:\Program Files\Minilyrics
2007-12-29 17:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 06:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 03:35 --------- d-----w C:\Documents and Settings\Marc\Application Data\Xfire
2007-12-20 05:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-06 14:31 --------- d-----w C:\Program Files\Common Files\fabFORCE
2007-12-06 14:25 --------- d-----w C:\Program Files\MSN Games
2007-11-29 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-28 15:48 --------- d-----w C:\Documents and Settings\Marc\Application Data\Thunderbird
2007-11-26 01:22 --------- d-----w C:\Program Files\WinPcap
2007-11-26 01:21 --------- d-----w C:\Program Files\SoftByte Labs
2007-11-26 01:14 --------- d-----w C:\Program Files\Jocsoft
2007-11-25 17:34 --------- d-----w C:\Documents and Settings\Marc\Application Data\Sierra Entertainment
2007-11-25 16:41 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-25 16:38 --------- d-----w C:\Program Files\MagicISO
2007-11-25 16:24 --------- d-----w C:\Program Files\AGEIA Technologies
2007-11-22 14:38 --------- d-----w C:\Program Files\ProntoEdit4
2007-11-19 18:58 --------- d-----w C:\Documents and Settings\Marc\Application Data\Magic Set Editor
2007-11-18 13:48 --------- d-----w C:\Program Files\Magic Set Editor 2
2007-11-17 12:52 --------- d-----w C:\Documents and Settings\Marc\Application Data\AVG7
2007-11-13 20:17 --------- d-----w C:\Program Files\GameHack
2007-11-13 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2007-11-08 15:12 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-08 15:12 --------- d-----w C:\Program Files\Windows Live
2007-11-08 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-08 13:58 --------- d-----w C:\Documents and Settings\Marc\Application Data\LimeWire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"Aim6"="" []
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 10:09 171464]
"PlayNC Launcher"="D:\program files\ncsoft\launcher\NCLauncher.exe" [2007-10-31 16:32 38128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"PopUpSentry"="C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:03 579072]
"JeticoPFStartup"="E:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe" [2007-05-31 00:09 406520]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"WinampAgent"="E:\Program Files\Winamp\wianmpa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:05 219136]

C:\Documents and Settings\Marc\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - D:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D8}"= C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSEHPS.DLL [2007-12-30 08:29 77824]
"{9F157D03-3DCC-4B4E-87CE-35F464BD3C3D}"= C:\WINDOWS\system32\opnnmkh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.DLL 2007-12-30 08:29 176128 C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.DLL

R1 bc_hash_f;BC_HASH_Filter;C:\WINDOWS\system32\drivers\bc_hash_f.sys [2007-05-16 22:56]
R1 SABDIFSV;SABDIFSV;C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABDIFSV.SYS [2005-09-26 14:08]
R1 SABKUTIL;SABKUTIL;C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABKUTIL.sys [2007-12-30 08:29]
R2 VProt2k;BroadJump PPPoE Helper Protocol;C:\WINDOWS\system32\DRIVERS\VProt2k.SYS [2003-05-10 14:18]
R3 BcfilterMP;BcfilterMP;C:\WINDOWS\system32\DRIVERS\bcfilter.sys [2007-05-16 22:58]
R3 VWan2k;BroadJump PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\VWan2k.SYS [2003-05-10 14:19]
S2 Jetico Personal Firewall server;Jetico Personal Firewall server;"E:\Program Files\Jetico\Jetico Personal Firewall\jpfsrv.exe" [2007-05-31 19:55]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;C:\WINDOWS\system32\DRIVERS\bcfilter.sys [2007-05-16 22:58]
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys [2007-12-29 09:16]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 19:01]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{824A81B1-E99C-49EB-9FA5-A4E4B0EAEC24}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {824A81B1-E99C-49EB-9FA5-A4E4B0EAEC24}
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 19:54:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 19:57:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 00:57:21
ComboFix2.txt 2007-08-22 22:47:23
.
2007-12-22 11:45:12 --- E O F ---

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:40 AM

Posted 05 January 2008 - 06:47 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9F157D03-3DCC-4B4E-87CE-35F464BD3C3D}"=-

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


How is your computer running now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 StarLion

StarLion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 05 January 2008 - 08:24 AM

No reboot this time...

ComboFix 08-01-04.1 - Marc 2008-01-05 8:17:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.997 [GMT -5:00]
Running from: C:\Documents and Settings\Marc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marc\Desktop\CFScript
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 09:44 . 2008-01-04 09:44 0 --a------ C:\SDFix.exe
2008-01-04 09:08 . 2008-01-04 09:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-04 09:06 . 2008-01-04 09:19 <DIR> d-------- C:\Documents and Settings\Marc\.housecall6.6
2008-01-04 08:12 . 2008-01-04 08:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 07:59 . 2008-01-05 04:58 <DIR> d-------- C:\VundoFix Backups
2008-01-02 22:34 . 2008-01-02 22:34 <DIR> d-------- C:\Program Files\Ligos
2008-01-02 22:34 . 2000-06-23 14:05 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2008-01-02 22:34 . 2000-06-22 13:09 56,320 --------- C:\WINDOWS\system32\iyvu9_32.dll
2008-01-01 18:03 . 2008-01-01 18:03 6 --a------ C:\WINDOWS\WS_FTP.EXT
2008-01-01 18:03 . 2008-01-01 18:03 0 --a------ C:\WINDOWS\WS_FTP.CNV
2007-12-29 09:28 . 2007-12-29 09:28 0 --a------ C:\WINDOWS\system32\cmmgr32.exe
2007-12-29 09:22 . 2007-12-29 09:22 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\PopUpSentry.com
2007-12-29 09:18 . 2007-12-29 17:24 <DIR> d-------- C:\Program Files\PopUpSentry.com
2007-12-29 09:16 . 2007-12-29 09:16 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2007-12-29 01:06 . 2007-12-31 21:59 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-12-24 21:12 . 2007-12-24 21:12 <DIR> d-------- C:\Program Files\Homestar Runner Desktop Friends
2007-12-24 21:12 . 2007-12-24 21:12 <DIR> d--h----- C:\Program Files\Give4Free Plugin
2007-12-24 21:12 . 2007-12-24 21:12 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-18 08:48 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-12-18 08:48 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-12-18 08:48 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-18 08:48 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-18 08:48 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-18 08:48 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-18 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-18 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-18 08:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-18 08:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-14 18:25 . 2007-12-29 12:48 125 --a------ C:\WINDOWS\fd3.INI
2007-12-14 10:08 . 2007-12-14 10:13 <DIR> d-------- C:\Program Files\EDraw Flowchart
2007-12-13 21:16 . 2007-12-13 21:16 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2007-12-13 21:16 . 2007-12-13 21:16 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-13 21:12 . 2007-12-13 21:14 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2007-12-13 21:12 . 2007-12-13 21:12 <DIR> d-------- C:\Program Files\Microsoft SDKs
2007-12-13 20:34 . 2007-12-13 20:34 <DIR> d-------- C:\Documents and Settings\Marc\VSWebCache
2007-12-12 22:05 . 2007-12-12 22:07 62,117,443 --a------ C:\DATA2.CAB
2007-12-11 17:20 . 2007-12-11 17:20 <DIR> d-------- C:\Program Files\Room Arranger
2007-12-11 17:20 . 2007-12-11 17:20 <DIR> d-------- C:\Program Files\Common Files\ParallelGraphics
2007-12-10 19:11 . 2007-12-10 19:11 <DIR> d-------- C:\Program Files\Atomic Clock Sync
2007-12-10 11:04 . 2007-12-10 11:04 <DIR> d-------- C:\Program Files\Eltima Software
2007-12-09 10:49 . 2008-01-02 08:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-09 10:49 . 2007-12-09 10:49 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 13:16 --------- d-----w C:\Documents and Settings\Marc\Application Data\Azureus
2008-01-05 13:12 --------- d-----w C:\Program Files\Minilyrics
2008-01-05 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-05 00:54 --------- d-----w C:\Documents and Settings\Marc\Application Data\OpenOffice.org2
2008-01-04 16:01 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-03 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-29 17:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 06:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 03:35 --------- d-----w C:\Documents and Settings\Marc\Application Data\Xfire
2007-12-20 05:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-06 14:31 --------- d-----w C:\Program Files\Common Files\fabFORCE
2007-12-06 14:25 --------- d-----w C:\Program Files\MSN Games
2007-11-29 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-28 15:48 --------- d-----w C:\Documents and Settings\Marc\Application Data\Thunderbird
2007-11-26 01:22 --------- d-----w C:\Program Files\WinPcap
2007-11-26 01:21 --------- d-----w C:\Program Files\SoftByte Labs
2007-11-26 01:14 --------- d-----w C:\Program Files\Jocsoft
2007-11-25 17:34 --------- d-----w C:\Documents and Settings\Marc\Application Data\Sierra Entertainment
2007-11-25 16:41 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-25 16:38 --------- d-----w C:\Program Files\MagicISO
2007-11-25 16:24 --------- d-----w C:\Program Files\AGEIA Technologies
2007-11-22 14:38 --------- d-----w C:\Program Files\ProntoEdit4
2007-11-19 18:58 --------- d-----w C:\Documents and Settings\Marc\Application Data\Magic Set Editor
2007-11-18 13:48 --------- d-----w C:\Program Files\Magic Set Editor 2
2007-11-17 12:52 --------- d-----w C:\Documents and Settings\Marc\Application Data\AVG7
2007-11-13 20:17 --------- d-----w C:\Program Files\GameHack
2007-11-13 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2007-11-08 15:12 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-08 15:12 --------- d-----w C:\Program Files\Windows Live
2007-11-08 13:58 --------- d-----w C:\Documents and Settings\Marc\Application Data\LimeWire
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-11 14:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 18:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 18:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 17:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"Aim6"="" []
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 10:09 171464]
"PlayNC Launcher"="D:\program files\ncsoft\launcher\NCLauncher.exe" [2007-10-31 16:32 38128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"PopUpSentry"="C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:03 579072]
"JeticoPFStartup"="E:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe" [2007-05-31 00:09 406520]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"WinampAgent"="E:\Program Files\Winamp\wianmpa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:05 219136]

C:\Documents and Settings\Marc\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - D:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D8}"= C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSEHPS.DLL [2007-12-30 08:29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.DLL 2007-12-30 08:29 176128 C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.DLL

R1 bc_hash_f;BC_HASH_Filter;C:\WINDOWS\system32\drivers\bc_hash_f.sys [2007-05-16 22:56]
R1 SABDIFSV;SABDIFSV;C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABDIFSV.SYS [2005-09-26 14:08]
R1 SABKUTIL;SABKUTIL;C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABKUTIL.sys [2007-12-30 08:29]
R2 VProt2k;BroadJump PPPoE Helper Protocol;C:\WINDOWS\system32\DRIVERS\VProt2k.SYS [2003-05-10 14:18]
R3 BcfilterMP;BcfilterMP;C:\WINDOWS\system32\DRIVERS\bcfilter.sys [2007-05-16 22:58]
R3 VWan2k;BroadJump PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\VWan2k.SYS [2003-05-10 14:19]
S2 Jetico Personal Firewall server;Jetico Personal Firewall server;"E:\Program Files\Jetico\Jetico Personal Firewall\jpfsrv.exe" [2007-05-31 19:55]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;C:\WINDOWS\system32\DRIVERS\bcfilter.sys [2007-05-16 22:58]
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys [2007-12-29 09:16]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 19:01]

*Newly Created Service* - WLSETUPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{824A81B1-E99C-49EB-9FA5-A4E4B0EAEC24}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {824A81B1-E99C-49EB-9FA5-A4E4B0EAEC24}
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 08:20:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> E:\Program Files\Taskbar Hide\hook.dll
.
Completion time: 2008-01-05 8:20:48
ComboFix-quarantined-files.txt 2008-01-05 13:20:46
ComboFix2.txt 2008-01-05 00:57:24
ComboFix3.txt 2007-08-22 22:47:23
.
2007-12-22 11:45:12 --- E O F ---

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:40 AM

Posted 06 January 2008 - 07:40 AM

How is your computer running now?

Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 StarLion

StarLion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 06 January 2008 - 09:00 AM

Have had no virus alerts recently, which I can only assume means that whatever was dropping/attaching the virus has been silenced...
Don't see anything obvious hiding in the HJT log, either...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:29 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\DAEMON Tools\daemon.exe
D:\program files\ncsoft\launcher\NCLauncher.exe
D:\Program Files\OpenOffice.org 2.2\program\soffice.exe
D:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Taskbar Hide\TaskBar.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\mIRC\mirc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
D:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Marc\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Marc\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [JeticoPFStartup] "E:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [PlayNC Launcher] D:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = D:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187550732140
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187552899781
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BD413EA-96E8-4520-8BBC-1908D0CFAEB8}: NameServer = 85.255.115.102,85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{A51AC2AE-3708-472E-B189-79A76EF6A2B0}: NameServer = 85.255.115.102,85.255.112.178
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.102 85.255.112.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{8BD413EA-96E8-4520-8BBC-1908D0CFAEB8}: NameServer = 85.255.115.102,85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.102 85.255.112.178
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Jetico Personal Firewall server - Jetico, Inc. - E:\Program Files\Jetico\Jetico Personal Firewall\jpfsrv.exe
O23 - Service: NBService - Nero AG - D:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9683 bytes

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:40 AM

Posted 06 January 2008 - 09:10 AM

We're not quite done yet.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) along with a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:40 AM

Posted 30 January 2008 - 05:24 PM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users