Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse


  • This topic is locked This topic is locked
18 replies to this topic

#1 kylan7950

kylan7950

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 05 January 2008 - 07:19 AM

Pop up ads while Im on the internet, Wont let me run antivirus program, Windows explorer keeps shutting down, computer slower and not acting right!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:49 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
F:\My Music\iTunes\iTunes Music\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {ba2f2d5c-6b53-e7d8-8c64-37915de17935} - {53971ed5-1973-46c8-8d7e-35b6c5d2f2ab} - C:\WINDOWS\system32\tsmibuir.dll (file missing)
O2 - BHO: (no name) - {63A3E506-5108-4EEF-A372-47E69E7FB265} - C:\WINDOWS\system32\geedb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\xxywvsr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\My Music\iTunes\iTunes Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7637 bytes

Edited by kylan7950, 05 January 2008 - 07:20 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 05 January 2008 - 07:28 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 30 January 2008 - 09:40 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 31 January 2008 - 04:14 PM

Topic reopened.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 kylan7950

kylan7950
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 31 January 2008 - 05:01 PM

Thanks for reopening.
Here is the combofix log

ComboFix 08-01-31.1 - Kylan Lewis 2008-01-30 20:12:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.311 [GMT -6:00]
Running from: C:\Documents and Settings\Kylan Lewis\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf . . . . failed to delete
C:\WINDOWS\Fonts\-
D:\Autorun.inf . . . . failed to delete
.
---- Previous Run -------
.
C:\Temp\bkR11
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\bistwfro.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dayncsud.ini
C:\WINDOWS\system32\hjixpujf.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\UpMedia
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-17 06:44 . 2008-01-17 06:44 <DIR> d-------- C:\Program Files\easetech
2008-01-15 17:10 . 2008-01-15 17:10 <DIR> d-------- C:\Program Files\iPod
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 22:24 . 2008-01-07 22:46 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-05 15:19 . 2008-01-26 19:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 15:19 . 2008-01-05 15:19 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\SUPERAntiSpyware.com
2008-01-05 15:19 . 2008-01-05 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 06:52 . 2008-01-05 06:52 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\Grisoft
2008-01-05 06:52 . 2008-01-05 06:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 06:52 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-05 05:56 . 2008-01-05 05:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 18:31 . 2008-01-04 18:31 0 --a------ C:\LOGF.tmp
2008-01-02 23:27 . 2008-01-02 23:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-01-02 23:26 . 2008-01-02 23:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\FileOpen
2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\pdf995
2008-01-01 15:28 . 2008-01-01 15:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 15:28 . 2008-01-01 15:28 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 03:13 . 2008-01-01 03:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-01 03:13 . 2008-01-01 03:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 01:59 . 2008-01-01 02:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 19:21 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-12-28 19:07 . 2007-12-28 19:07 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\Uniblue
2007-12-20 03:20 . 2008-01-01 18:59 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-19 22:25 . 2008-01-27 01:46 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Incomplete
2007-12-19 22:24 . 2007-12-19 22:24 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-19 22:21 . 2007-12-19 22:21 134 --a------ C:\n.bat
2007-12-19 22:20 . 2007-12-19 22:20 <DIR> d-------- C:\WINDOWS\system32\daSgo05
2007-12-15 00:11 . 2008-01-15 17:07 <DIR> d-------- C:\Program Files\QuickTime
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-11 01:18 . 2007-12-11 01:18 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\FileOpen
2007-12-11 01:18 . 2007-12-11 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FileOpen
2007-12-11 01:16 . 2007-12-11 01:16 <DIR> d-------- C:\Program Files\FileOpen

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 02:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-30 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-26 21:31 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\LimeWire
2008-01-25 07:24 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\Move Networks
2008-01-05 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 00:33 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\U3
2008-01-03 19:48 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\HouseCall 6.6
2008-01-03 08:31 --------- d-----w C:\Program Files\Java
2008-01-03 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-02 01:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 01:14 --------- d-----w C:\Program Files\Common Files\KnifeEdge
2007-12-21 03:56 --------- d-----w C:\Program Files\Google
2007-12-20 04:22 --------- d-----w C:\Program Files\LimeWire
2007-12-20 04:22 --------- d-----w C:\Program Files\Incomplete
2007-12-17 05:55 --------- d-----w C:\Program Files\DivX
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 07:15 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\AdobeUM
2006-11-20 21:33 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
<pre>
----a-w		   313,472 2008-01-02 00:59:31  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   344,064 2007-12-20 12:08:33  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			48,752 2008-01-02 00:59:11  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			68,856 2008-01-02 01:40:00  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			94,208 2008-01-02 00:58:54  C:\Program Files\HP\QuickPlay\QPService .exe
----a-w		   507,904 2008-01-02 00:59:08  C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w		   409,600 2008-01-02 00:58:54  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w		   253,000 2007-12-20 09:20:26  C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm .exe
----a-w		   105,544 2007-12-20 09:20:28  C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader .exe
----a-w		   286,720 2008-01-02 03:26:03  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   286,720 2008-01-02 07:12:36  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   286,720 2008-01-02 07:12:37  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   286,720 2008-01-02 07:12:39  C:\Program Files\QuickTime\qttask				.exe
----a-w		   286,720 2008-01-02 07:12:41  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   286,720 2008-01-02 07:12:43  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   286,720 2008-01-02 07:12:45  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   286,720 2008-01-02 07:12:46  C:\Program Files\QuickTime\qttask			.exe
----a-w		   286,720 2008-01-02 07:12:47  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   286,720 2008-01-02 07:12:49  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   286,720 2008-01-02 07:12:50  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   286,720 2008-01-02 07:12:51  C:\Program Files\QuickTime\qttask		.exe
----a-w		   286,720 2008-01-02 07:12:53  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-01-02 07:12:54  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-01-02 07:12:55  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,460,560 2008-01-02 00:59:33  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			85,696 2008-01-02 00:59:10  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   729,178 2008-01-02 00:58:54  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   158,208 2007-12-20 09:31:08  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-02 00:59:18  C:\WINDOWS\system32\ctfmon .exe
----a-w		   188,416 2008-01-02 00:58:56  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07 .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53971ed5-1973-46c8-8d7e-35b6c5d2f2ab}]
C:\WINDOWS\system32\tsmibuir.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-01 21:26 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-01 21:26 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-01 21:26 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-01 21:25 729178]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2008-01-01 21:25 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2008-01-01 21:25 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2008-01-01 21:25 188416]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2008-01-01 21:25 507904]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-01 21:25 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-01-01 21:25 85696]
"TVTray"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="F:\My Music\iTunes\iTunes Music\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 16:25:20 97320]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-20 07:44:10 124912]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12 28672]
officejet 6100.lnk - C:\Program Files\HP\Digital Imaging\bin\hposol08.exe [2003-04-09 16:42:06 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Harmony Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Harmony Monitor.lnk
backup=C:\WINDOWS\pss\Harmony Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCLoader]
--a------ 2008-01-01 21:35 105544 C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--a------ 2008-01-01 21:26 253000 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 14:06]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\sustucam.sys []
S3 TridVid;ENUTV;C:\WINDOWS\system32\DRIVERS\TridVid.sys [2006-03-21 00:46]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 13:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 13:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6675182a-bb25-11dc-bc81-0014a57ad9d9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b05550-4627-11dc-bbfc-000fb0f57c19}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e39b43d2-b7a2-11db-baf9-0014a57ad9d9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 20:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-28 05:09:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1187666592.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 20:20:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\My Music\iTunes\iTunes Music\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-01-30 20:24:38 - machine was rebooted [Kylan Lewis]
ComboFix-quarantined-files.txt 2008-01-31 02:24:32
.
2008-01-09 21:56:49 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 31 January 2008 - 05:15 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Renv::
----a-w		   313,472 2008-01-02 00:59:31  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   344,064 2007-12-20 12:08:33  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			48,752 2008-01-02 00:59:11  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			68,856 2008-01-02 01:40:00  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			94,208 2008-01-02 00:58:54  C:\Program Files\HP\QuickPlay\QPService .exe
----a-w		   507,904 2008-01-02 00:59:08  C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w		   409,600 2008-01-02 00:58:54  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w		   253,000 2007-12-20 09:20:26  C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm .exe
----a-w		   105,544 2007-12-20 09:20:28  C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader .exe
----a-w		   286,720 2008-01-02 03:26:03  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   286,720 2008-01-02 07:12:36  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   286,720 2008-01-02 07:12:37  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   286,720 2008-01-02 07:12:39  C:\Program Files\QuickTime\qttask				.exe
----a-w		   286,720 2008-01-02 07:12:41  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   286,720 2008-01-02 07:12:43  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   286,720 2008-01-02 07:12:45  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   286,720 2008-01-02 07:12:46  C:\Program Files\QuickTime\qttask			.exe
----a-w		   286,720 2008-01-02 07:12:47  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   286,720 2008-01-02 07:12:49  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   286,720 2008-01-02 07:12:50  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   286,720 2008-01-02 07:12:51  C:\Program Files\QuickTime\qttask		.exe
----a-w		   286,720 2008-01-02 07:12:53  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-01-02 07:12:54  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-01-02 07:12:55  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,460,560 2008-01-02 00:59:33  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			85,696 2008-01-02 00:59:10  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   729,178 2008-01-02 00:58:54  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   158,208 2007-12-20 09:31:08  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-02 00:59:18  C:\WINDOWS\system32\ctfmon .exe
----a-w		   188,416 2008-01-02 00:58:56  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07 .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53971ed5-1973-46c8-8d7e-35b6c5d2f2ab}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 kylan7950

kylan7950
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 31 January 2008 - 08:35 PM

Info you requested:
Hijack this log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:41 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
F:\My Music\iTunes\iTunes Music\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\My Music\iTunes\iTunes Music\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9240 bytes



Combofix log

ComboFix 08-01-31.1 - Kylan Lewis 2008-01-31 19:11:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.277 [GMT -6:00]
Running from: C:\Documents and Settings\Kylan Lewis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kylan Lewis\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 23:45 . 2008-01-30 23:45 <DIR> d-------- C:\Program Files\FlyOrDie_Games
2008-01-30 23:45 . 2008-01-30 23:45 <DIR> d-------- C:\Program Files\Conduit
2008-01-30 20:20 . 2008-01-30 20:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 20:20 . 2008-01-30 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 06:44 . 2008-01-17 06:44 <DIR> d-------- C:\Program Files\easetech
2008-01-15 17:10 . 2008-01-15 17:10 <DIR> d-------- C:\Program Files\iPod
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 22:24 . 2008-01-07 22:46 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-05 15:19 . 2008-01-26 19:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 15:19 . 2008-01-05 15:19 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\SUPERAntiSpyware.com
2008-01-05 15:19 . 2008-01-05 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 06:52 . 2008-01-05 06:52 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\Grisoft
2008-01-05 06:52 . 2008-01-05 06:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 06:52 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-05 05:56 . 2008-01-05 05:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 18:31 . 2008-01-04 18:31 0 --a------ C:\LOGF.tmp
2008-01-02 23:27 . 2008-01-02 23:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-01-02 23:26 . 2008-01-02 23:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\FileOpen
2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\pdf995
2008-01-01 15:28 . 2008-01-01 15:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 15:28 . 2008-01-01 15:28 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 03:13 . 2008-01-01 03:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-01 03:13 . 2008-01-01 03:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 01:59 . 2008-01-01 02:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 01:20 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-31 02:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-26 21:31 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\LimeWire
2008-01-25 07:24 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\Move Networks
2008-01-15 23:07 --------- d-----w C:\Program Files\QuickTime
2008-01-05 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 00:33 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\U3
2008-01-03 19:48 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\HouseCall 6.6
2008-01-03 08:31 --------- d-----w C:\Program Files\Java
2008-01-03 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-02 01:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 01:14 --------- d-----w C:\Program Files\Common Files\KnifeEdge
2007-12-29 01:07 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\Uniblue
2007-12-21 03:56 --------- d-----w C:\Program Files\Google
2007-12-20 04:22 --------- d-----w C:\Program Files\LimeWire
2007-12-20 04:22 --------- d-----w C:\Program Files\Incomplete
2007-12-20 04:21 134 ----a-w C:\n.bat
2007-12-17 05:55 --------- d-----w C:\Program Files\DivX
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 07:18 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\FileOpen
2007-12-11 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2007-12-11 07:16 --------- d-----w C:\Program Files\FileOpen
2007-12-11 07:15 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\AdobeUM
2006-11-20 21:33 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
<pre>
----a-w		   313,472 2008-01-02 00:59:31  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   344,064 2007-12-20 12:08:33  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			48,752 2008-01-02 00:59:11  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			68,856 2008-01-02 01:40:00  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			94,208 2008-01-02 00:58:54  C:\Program Files\HP\QuickPlay\QPService .exe
----a-w		   507,904 2008-01-02 00:59:08  C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w		   409,600 2008-01-02 00:58:54  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w		   253,000 2007-12-20 09:20:26  C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm .exe
----a-w		   105,544 2007-12-20 09:20:28  C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader .exe
----a-w		   286,720 2008-01-02 03:26:03  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   286,720 2008-01-02 07:12:36  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   286,720 2008-01-02 07:12:37  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   286,720 2008-01-02 07:12:39  C:\Program Files\QuickTime\qttask				.exe
----a-w		   286,720 2008-01-02 07:12:41  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   286,720 2008-01-02 07:12:43  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   286,720 2008-01-02 07:12:45  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   286,720 2008-01-02 07:12:46  C:\Program Files\QuickTime\qttask			.exe
----a-w		   286,720 2008-01-02 07:12:47  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   286,720 2008-01-02 07:12:49  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   286,720 2008-01-02 07:12:50  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   286,720 2008-01-02 07:12:51  C:\Program Files\QuickTime\qttask		.exe
----a-w		   286,720 2008-01-02 07:12:53  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-01-02 07:12:54  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-01-02 07:12:55  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,460,560 2008-01-02 00:59:33  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			85,696 2008-01-02 00:59:10  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   729,178 2008-01-02 00:58:54  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   158,208 2007-12-20 09:31:08  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-02 00:59:18  C:\WINDOWS\system32\ctfmon .exe
----a-w		   188,416 2008-01-02 00:58:56  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07 .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53971ed5-1973-46c8-8d7e-35b6c5d2f2ab}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70a732af-f392-4ed8-823a-85fd644d4d92}]
2008-01-28 13:47 1555480 --a------ C:\Program Files\FlyOrDie_Games\tbFlyO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{70A732AF-F392-4ED8-823A-85FD644D4D92}

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{70A732AF-F392-4ED8-823A-85FD644D4D92}"= C:\Program Files\FlyOrDie_Games\tbFlyO.dll [2008-01-28 13:47 1555480]

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-01 21:26 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-01 21:26 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-01 21:26 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-01 21:25 729178]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2008-01-01 21:25 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2008-01-01 21:25 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2008-01-01 21:25 188416]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2008-01-01 21:25 507904]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-01 21:25 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-01-01 21:25 85696]
"TVTray"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="F:\My Music\iTunes\iTunes Music\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 16:25:20 97320]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-20 07:44:10 124912]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12 28672]
officejet 6100.lnk - C:\Program Files\HP\Digital Imaging\bin\hposol08.exe [2003-04-09 16:42:06 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Harmony Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Harmony Monitor.lnk
backup=C:\WINDOWS\pss\Harmony Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCLoader]
--a------ 2008-01-01 21:35 105544 C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--a------ 2008-01-01 21:26 253000 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 14:06]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\sustucam.sys []
S3 TridVid;ENUTV;C:\WINDOWS\system32\DRIVERS\TridVid.sys [2006-03-21 00:46]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 13:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 13:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6675182a-bb25-11dc-bc81-0014a57ad9d9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b05550-4627-11dc-bbfc-000fb0f57c19}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e39b43d2-b7a2-11db-baf9-0014a57ad9d9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 20:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-28 05:09:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1187666592.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 19:20:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
F:\My Music\iTunes\iTunes Music\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-01-31 19:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 01:26:40
ComboFix2.txt 2008-01-31 02:24:39
.
2008-01-09 21:56:49 --- E O F ---

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 02 February 2008 - 08:46 AM

Please download this tool and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Copy this text to notepad and save it to your desktop as Log.txt

----a-w		   313,472 2008-01-02 00:59:31  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   344,064 2007-12-20 12:08:33  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			48,752 2008-01-02 00:59:11  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			68,856 2008-01-02 01:40:00  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			94,208 2008-01-02 00:58:54  C:\Program Files\HP\QuickPlay\QPService .exe
----a-w		   507,904 2008-01-02 00:59:08  C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w		   409,600 2008-01-02 00:58:54  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w		   253,000 2007-12-20 09:20:26  C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm .exe
----a-w		   105,544 2007-12-20 09:20:28  C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader .exe
----a-w		   286,720 2008-01-02 03:26:03  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   286,720 2008-01-02 07:12:36  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   286,720 2008-01-02 07:12:37  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   286,720 2008-01-02 07:12:39  C:\Program Files\QuickTime\qttask				.exe
----a-w		   286,720 2008-01-02 07:12:41  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   286,720 2008-01-02 07:12:43  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   286,720 2008-01-02 07:12:45  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   286,720 2008-01-02 07:12:46  C:\Program Files\QuickTime\qttask			.exe
----a-w		   286,720 2008-01-02 07:12:47  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   286,720 2008-01-02 07:12:49  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   286,720 2008-01-02 07:12:50  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   286,720 2008-01-02 07:12:51  C:\Program Files\QuickTime\qttask		.exe
----a-w		   286,720 2008-01-02 07:12:53  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-01-02 07:12:54  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-01-02 07:12:55  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-01-02 07:12:56  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-01-02 07:12:58  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,460,560 2008-01-02 00:59:33  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			85,696 2008-01-02 00:59:10  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   729,178 2008-01-02 00:58:54  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   158,208 2007-12-20 09:31:08  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-02 00:59:18  C:\WINDOWS\system32\ctfmon .exe
----a-w		   188,416 2008-01-02 00:58:56  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07 .exe


Now drag Log.txt into RenV.exe
When finished, it shall produce a new log for you. Post that log in your next reply.

Immediately run Combofix.exe and post that log also.

Edited by Buckeye_Sam, 02 February 2008 - 08:47 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 kylan7950

kylan7950
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 February 2008 - 10:29 AM

Renv log

Ran on Wed 02/06/2008 -  9:11:50.96

------w			85,696 2008-01-02 00:59:10  C:\Program Files\Symantec AntiVirus\VPTray .exe

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:			 85,696  Blocks:		  168






Combofix log

ComboFix 08-01-31.1 - Kylan Lewis 2008-02-06 9:14:04.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.314 [GMT -6:00]
Running from: C:\Documents and Settings\Kylan Lewis\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://gpdl.google.com
.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-03 20:01 . 2008-02-03 20:01 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Grisoft
2008-02-03 04:45 . 2008-02-03 04:48 <DIR> d-------- C:\Program Files\DeductionPro 2007
2008-02-03 04:20 . 2008-02-03 04:20 <DIR> d-------- C:\Documents and Settings\Kylan Lewis\Application Data\TaxCut
2008-02-03 04:19 . 2008-02-03 04:20 <DIR> d-------- C:\Program Files\TaxCut07
2008-02-03 04:19 . 2008-02-03 04:19 <DIR> d-------- C:\Program Files\PDF995
2008-02-03 04:17 . 2008-02-03 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-30 23:45 . 2008-01-30 23:45 <DIR> d-------- C:\Program Files\FlyOrDie_Games
2008-01-30 23:45 . 2008-01-30 23:45 <DIR> d-------- C:\Program Files\Conduit
2008-01-30 20:20 . 2008-02-06 04:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 20:20 . 2008-01-30 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 06:44 . 2008-01-17 06:44 <DIR> d-------- C:\Program Files\easetech
2008-01-15 17:10 . 2008-01-15 17:10 <DIR> d-------- C:\Program Files\iPod
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 22:24 . 2008-01-07 22:46 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 15:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-06 15:10 --------- d-----w C:\Program Files\QuickTime
2008-02-06 15:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 04:29 --------- d-----w C:\Program Files\Google
2008-02-06 01:09 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\U3
2008-02-05 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-03 10:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-27 01:43 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-26 21:31 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\LimeWire
2008-01-25 07:24 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\Move Networks
2008-01-05 21:19 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\SUPERAntiSpyware.com
2008-01-05 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 12:52 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\Grisoft
2008-01-05 12:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 11:56 --------- d-----w C:\Program Files\Trend Micro
2008-01-03 19:48 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\HouseCall 6.6
2008-01-03 08:31 --------- d-----w C:\Program Files\Java
2008-01-03 05:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-01-03 05:26 --------- d-----w C:\Documents and Settings\LocalService\Application Data\FileOpen
2008-01-03 05:25 --------- d-----w C:\Documents and Settings\LocalService\Application Data\pdf995
2008-01-01 09:13 --------- d-----w C:\Program Files\Lavasoft
2008-01-01 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 01:14 --------- d-----w C:\Program Files\Common Files\KnifeEdge
2007-12-29 01:07 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\Uniblue
2007-12-20 04:22 --------- d-----w C:\Program Files\LimeWire
2007-12-20 04:22 --------- d-----w C:\Program Files\Incomplete
2007-12-20 04:21 134 ----a-w C:\n.bat
2007-12-17 05:55 --------- d-----w C:\Program Files\DivX
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 07:18 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\FileOpen
2007-12-11 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2007-12-11 07:16 --------- d-----w C:\Program Files\FileOpen
2007-12-11 07:15 --------- d-----w C:\Documents and Settings\Kylan Lewis\Application Data\AdobeUM
2006-11-20 21:33 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
<pre>
------w			85,696 2008-01-02 00:59:10  C:\Program Files\Symantec AntiVirus\VPTray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70a732af-f392-4ed8-823a-85fd644d4d92}]
2008-01-28 13:47 1555480 --a------ C:\Program Files\FlyOrDie_Games\tbFlyO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{70A732AF-F392-4ED8-823A-85FD644D4D92}

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{70A732AF-F392-4ED8-823A-85FD644D4D92}"= C:\Program Files\FlyOrDie_Games\tbFlyO.dll [2008-01-28 13:47 1555480]

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-01 18:59 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-01 18:59 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-01 19:40 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-01 18:59 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-20 06:08 344064]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-01 18:58 729178]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2008-01-01 18:58 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2008-01-01 18:58 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2008-01-01 18:58 188416]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2008-01-01 18:59 507904]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-01 18:59 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-01-01 21:25 85696]
"TVTray"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-02 01:12 286720]
"iTunesHelper"="F:\My Music\iTunes\iTunes Music\iTunesHelper.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 16:25:20 97320]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-20 07:44:10 124912]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12 28672]
officejet 6100.lnk - C:\Program Files\HP\Digital Imaging\bin\hposol08.exe [2003-04-09 16:42:06 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Harmony Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Harmony Monitor.lnk
backup=C:\WINDOWS\pss\Harmony Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCLoader]
--a------ 2007-12-20 03:20 105544 C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--a------ 2007-12-20 03:20 253000 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 14:06]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\sustucam.sys []
S3 TridVid;ENUTV;C:\WINDOWS\system32\DRIVERS\TridVid.sys [2006-03-21 00:46]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 13:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 13:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6675182a-bb25-11dc-bc81-0014a57ad9d9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b05550-4627-11dc-bbfc-000fb0f57c19}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e39b43d2-b7a2-11db-baf9-0014a57ad9d9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 20:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-28 05:09:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1187666592.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 09:19:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-02-06 9:22:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 15:22:23
ComboFix2.txt 2008-02-01 01:26:47
ComboFix3.txt 2008-01-31 02:24:39
.
2008-01-09 21:56:49 --- E O F ---

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 06 February 2008 - 10:11 PM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Also post a new hijackthis log and let me know how your computer is running now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 kylan7950

kylan7950
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 08 February 2008 - 11:03 PM

kaspersky file is too big and i cant post it. Symantec Antivirus has a lot of entries. Cant i delete any of it? Is there some way to shrink it?

Edited by kylan7950, 08 February 2008 - 11:07 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 09 February 2008 - 07:32 PM

I only need to see the portion of the log that shows infected files. You can delete anything that says "Object is locked skipped".
You can also attach it as a text file here instead of copying and pasting.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 kylan7950

kylan7950
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 10 February 2008 - 04:20 AM

Well then in that case I dont need to post the report because they are all locked/ skipped. Do you still want to see the hijack log?

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:39 PM

Posted 10 February 2008 - 08:26 AM

Yes, please.

How is your computer behaving now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 kylan7950

kylan7950
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 12 February 2008 - 02:39 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:26 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\My Music\iTunes\iTunes Music\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9396 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users