Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojanvirtumonde Virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 ceceb

ceceb

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 06 January 2008 - 02:42 AM

Help! My laptop has this virus and I've tried multiple downloads to try to delete and nothing works. Spyware Doctor constantly is blocking the application trying to access a file and I get error message:
Error loading C:\WINDOWS\system32\vtuts.dll. Access is denied. This is popping up every 10 seconds. I've tried to delete the file but it can't be deleted.
I've tried Ad-ware, Trojan Hunter, Spyware Dr., Trend Micro, FXVundoB, Symantec, Vundo fix.
No luck. Please help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:30 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: {3779f7a1-57d6-04f8-14c4-655c8a1db002} - {200bd1a8-c556-4c41-8f40-6d751a7f9773} - C:\WINDOWS\system32\cambbcrr.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {42307AAD-16CC-42E0-9DF5-23A95ABB2837} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\nnnnkjk.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard .exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O20 - Winlogon Notify: nnnnkjk - nnnnkjk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9520 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:56 PM

Posted 06 January 2008 - 09:19 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 06 January 2008 - 11:59 AM

Thanks for your help. I tried to download but I'm getting error message: Some installation files are corrupt. Please download a fresh copy and retry the installation.

I'm working with my desktop and portable drive. I downloaded again from desktop to portable drive and tried to open with that but got the same error message.

#4 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 06 January 2008 - 12:03 PM

While self-extracting it shows:
CRC failed in ERUNT.cfexe.
Unexpected end of archive.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:56 PM

Posted 06 January 2008 - 06:20 PM

Make sure that you have disabled your antivirus before running Combofix.

Also try renaming combofix.exe to cf.exe and then run it.


If you still can't get combofix to run, let's run another tool.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 07 January 2008 - 12:10 AM

ComboFix 08-01-04.1 - Cece Bulkley 2008-01-06 18:55:18.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767 [GMT -10:00]
Running from: C:\Documents and Settings\Cece Bulkley\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard .exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.exe

<pre>
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe" moved to QooBox
"C:\Program Files\Messenger\msmsgs .exe" replaces infected copy of "C:\Program Files\Messenger\msmsgs.exe"
"C:\Program Files\Spyware Doctor\SDTrayApp .exe" replaces infected copy of "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
"C:\Program Files\Trend Micro\Internet Security 14\pccguide .exe" replaces infected copy of "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
"C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon .exe" replaces infected copy of "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 18:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 19:44 . 2008-01-05 20:17 <DIR> d-------- C:\VundoFix Backups
2008-01-05 15:08 . 2008-01-05 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-01-05 14:04 . 2008-01-06 18:59 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-05 12:36 . 2008-01-05 12:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-04 21:09 . 2008-01-06 19:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-04 21:09 . 2008-01-04 21:09 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\PC Tools
2008-01-04 21:09 . 2008-01-06 18:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-04 21:09 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-04 21:09 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-04 21:09 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-04 21:09 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-04 21:09 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-04 21:07 . 2008-01-05 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-04 12:59 . 2008-01-04 12:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-02 11:06 . 2008-01-02 18:57 1,031,467 ---hs---- C:\WINDOWS\system32\txtytdad.ini
2008-01-02 11:04 . 2008-01-02 11:05 1,031,791 ---hs---- C:\WINDOWS\system32\rbcdsbqg.ini
2007-12-31 13:25 . 2008-01-02 11:05 1,031,990 ---hs---- C:\WINDOWS\system32\scfhldjt.ini
2007-12-31 13:22 . 2007-12-31 13:22 1,031,671 ---hs---- C:\WINDOWS\system32\fpihcyak.ini
2007-12-29 15:16 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-12-29 15:16 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\dllcache\slip.sys
2007-12-29 12:04 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-12-29 12:04 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-12-29 12:04 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-12-29 12:04 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-12-29 12:04 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-12-29 12:04 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys
2007-12-29 12:02 . 2007-12-29 12:02 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\InstallShield
2007-12-29 12:02 . 2007-03-24 17:27 26,240 --a------ C:\WINDOWS\system32\drivers\Camd8080.sys
2007-12-29 12:02 . 2007-03-24 17:27 16,640 --a------ C:\WINDOWS\system32\drivers\Capt8080.sys
2007-12-28 11:07 . 2007-12-31 13:22 1,031,611 ---hs---- C:\WINDOWS\system32\ehiitedp.ini
2007-12-28 10:58 . 2007-12-28 10:58 1,031,139 ---hs---- C:\WINDOWS\system32\pfvqfnqn.ini
2007-12-27 22:01 . 2007-12-27 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-27 22:01 . 2006-11-09 16:04 73,288 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-27 21:51 . 2007-12-27 21:51 1,024 --a------ C:\WINDOWS\system32\drivers\2DFBE721-DFD9-42C6-881B-48D01F63AD5F.cxv
2007-12-27 21:37 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-12-27 21:37 . 2006-11-09 16:04 280,392 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-27 21:37 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-27 21:37 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-27 14:46 . 2007-12-27 14:47 84,349,774 --a------ C:\reg_backup.reg
2007-12-27 13:33 . 2008-01-06 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 12:43 . 2007-12-27 12:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 12:43 . 2007-12-27 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 12:41 . 2007-12-27 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 11:33 . 2007-12-27 11:34 4,096 --a------ C:\WINDOWS\system32\drivers\0D75B75B-C895-4704-9C5E-D0894BD38A46.cxv
2007-12-27 11:28 . 2007-12-27 21:56 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-27 11:28 . 2007-12-27 11:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-27 11:28 . 2007-12-27 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-26 18:52 . 2008-01-05 19:41 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-26 16:36 . 2007-12-27 14:57 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-26 16:36 . 2007-12-27 14:57 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-26 16:36 . 2007-12-27 14:58 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-26 16:28 . 2007-12-26 16:28 <DIR> d-------- C:\Program Files\MyWaySA
2007-12-26 15:55 . 2007-12-26 15:55 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\AdwareAlert
2007-12-26 15:54 . 2007-12-26 16:27 <DIR> d-------- C:\Program Files\AdwareAlert
2007-12-23 00:20 . 2007-12-27 11:09 382,464 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-20 09:54 . 2007-12-20 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 04:58 --------- d-----w C:\Program Files\QuickTime
2008-01-06 07:11 --------- d-----w C:\Program Files\Trend Micro
2008-01-05 07:07 --------- d-----w C:\Program Files\Google
2008-01-03 21:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-01 01:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-12-28 07:20 --------- d-----w C:\Program Files\DellSupport
2007-12-28 07:17 --------- d-----w C:\Program Files\Apoint
2007-12-27 22:33 --------- d-----w C:\Program Files\Plaxo
2007-12-27 09:01 131 ----a-w C:\Program Files\uninstall.log
2007-12-22 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 20:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-03 00:21 110,264 -c--a-w C:\Documents and Settings\Cece Bulkley\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w		   135,168 2007-12-28 00:58:11  C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent .exe
----a-w		   208,896 2007-12-28 00:58:03  C:\Program Files\ACD Systems\DevDetect\DEVDET~1 .EXE
----a-w			63,712 2007-12-28 00:58:03  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			40,048 2007-12-28 00:58:03  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   155,648 2007-12-28 00:57:40  C:\Program Files\Apoint\Apoint .exe
----a-w			81,920 2007-12-28 00:57:45  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w			50,688 2007-12-28 00:57:58  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w		   110,592 2007-12-28 00:57:55  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			53,248 2007-12-28 00:58:01  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			40,960 2007-12-28 00:58:02  C:\Program Files\Dantz\Retrospect\ComboButton .exe
----a-w		   290,816 2007-12-28 00:57:43  C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w		   460,784 2007-12-28 00:58:05  C:\Program Files\DellSupport\DSAgnt .exe
----a-w		   847,872 2008-01-05 01:28:51  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w			40,960 2007-12-28 00:57:55  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe
----a-w			49,152 2007-12-28 00:57:48  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
----a-w		   385,024 2007-12-28 00:57:40  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w		   132,496 2007-12-28 00:58:03  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		 1,126,400 2007-12-28 00:57:55  C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray .exe
----a-w		   227,914 2007-12-27 22:13:08  C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper .exe
----a-w			26,112 2007-12-28 00:57:57  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		   823,362 2007-12-28 00:57:55  C:\Program Files\Trend Micro\Internet Security 12\PccGuide .exe
----a-w		   176,201 2007-12-28 00:58:10  C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
----a-w			15,360 2008-01-06 05:41:34  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2007-12-28 00:58:00  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2007-12-28 00:57:53  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2007-12-28 00:57:51  C:\WINDOWS\system32\igfxtray .exe
----a-w		   127,035 2007-12-28 00:58:01  C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w		   172,032 2007-12-28 00:57:46  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200bd1a8-c556-4c41-8f40-6d751a7f9773}]
C:\WINDOWS\system32\cambbcrr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-06 11:31 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2008-01-06 11:31 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2008-01-06 11:29 1807960]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard .exe" [ ]

C:\Documents and Settings\Cece Bulkley\Start Menu\Programs\Startup\
Registration-Studio 8.lnk - C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe [2007-07-02 20:31:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2005-07-18 14:22:11]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-11 21:54:10]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-04 21:07:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 11:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"NProtectService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)

S3 SQTECH913D;Photo Frame;C:\WINDOWS\system32\Drivers\Capt8080.sys [2007-03-24 17:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3ea7a48-73a1-11dc-be05-0080c81f098f}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 01:55:29 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-01-03 20:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-07 05:03:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 19:02:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 19:05:26 - machine was rebooted [Cece Bulkley]
ComboFix-quarantined-files.txt 2008-01-07 05:05:22
.
2007-12-22 00:07:27 --- E O F ---

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:56 PM

Posted 07 January 2008 - 08:32 AM

Please download this tool and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe


Next, copy the text below into notepad and save it on your desktop as Log.txt

----a-w		   135,168 2007-12-28 00:58:11  C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent .exe
----a-w		   208,896 2007-12-28 00:58:03  C:\Program Files\ACD Systems\DevDetect\DEVDET~1 .EXE
----a-w			63,712 2007-12-28 00:58:03  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			40,048 2007-12-28 00:58:03  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   155,648 2007-12-28 00:57:40  C:\Program Files\Apoint\Apoint .exe
----a-w			81,920 2007-12-28 00:57:45  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w			50,688 2007-12-28 00:57:58  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w		   110,592 2007-12-28 00:57:55  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			53,248 2007-12-28 00:58:01  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			40,960 2007-12-28 00:58:02  C:\Program Files\Dantz\Retrospect\ComboButton .exe
----a-w		   290,816 2007-12-28 00:57:43  C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w		   460,784 2007-12-28 00:58:05  C:\Program Files\DellSupport\DSAgnt .exe
----a-w		   847,872 2008-01-05 01:28:51  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w			40,960 2007-12-28 00:57:55  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe
----a-w			49,152 2007-12-28 00:57:48  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
----a-w		   385,024 2007-12-28 00:57:40  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w		   132,496 2007-12-28 00:58:03  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		 1,126,400 2007-12-28 00:57:55  C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray .exe
----a-w		   227,914 2007-12-27 22:13:08  C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper .exe
----a-w			26,112 2007-12-28 00:57:57  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		   823,362 2007-12-28 00:57:55  C:\Program Files\Trend Micro\Internet Security 12\PccGuide .exe
----a-w		   176,201 2007-12-28 00:58:10  C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
----a-w			15,360 2008-01-06 05:41:34  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2007-12-28 00:58:00  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2007-12-28 00:57:53  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2007-12-28 00:57:51  C:\WINDOWS\system32\igfxtray .exe
----a-w		   127,035 2007-12-28 00:58:01  C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w		   172,032 2007-12-28 00:57:46  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08 .exe



Posted Image

Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you. Post that log in your next reply.



===================




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 07 January 2008 - 05:26 PM

After running the combofix, the virus appears to be gone. I've run Ad-aware, PC-cillin and nothing is showing up. Should I still do your last request/email?

Thanks

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:56 PM

Posted 07 January 2008 - 07:17 PM

Yes, please perform those steps. We need to make sure there are no remained infected files in your system or they will reintroduce the virus all over again.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 08 January 2008 - 12:45 AM

Here's the log

Could Not Find C:\Documents and Settings\All Users\Application Data\Dell\Transfe
rAgent\TransferAgent.exe
Could Not Find C:\Program Files\ACD Systems\DevDetect\DEVDET~1.EXE
Could Not Find C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\a
pdproxy.exe
Could Not Find C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
Could Not Find C:\Program Files\Apoint\Apoint.exe
Could Not Find C:\Program Files\Common Files\InstallShield\UpdateService\issch.e
xe
Could Not Find C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFi
nd.exe
Could Not Find C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
Could Not Find C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
Could Not Find C:\Program Files\Dantz\Retrospect\ComboButton.exe
Could Not Find C:\Program Files\Dell\Media Experience\PCMService.exe
Could Not Find C:\Program Files\DellSupport\DSAgnt.exe
Could Not Find C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
Could Not Find C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

Could Not Find C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
Could Not Find C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
Could Not Find C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
Could Not Find C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.
exe
Could Not Find C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
Could Not Find C:\Program Files\Real\RealPlayer\RealPlay.exe
Could Not Find C:\Program Files\Trend Micro\Internet Security 12\PccGuide.exe
Could Not Find C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OE
Mon.exe
Could Not Find C:\WINDOWS\system32\ctfmon.exe
Could Not Find C:\WINDOWS\system32\hkcmd.exe
Could Not Find C:\WINDOWS\system32\igfxpers.exe
Could Not Find C:\WINDOWS\system32\igfxtray.exe
Could Not Find C:\WINDOWS\system32\dla\tfswctrl.exe
Could Not Find C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

#11 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 08 January 2008 - 02:33 AM

KASPERSKY ONLINE SCANNER REPORT
Monday, January 07, 2008 9:30:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/01/2008
Kaspersky Anti-Virus database records: 504058
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 98855
Number of viruses found 3
Number of infected objects 30
Number of suspicious objects 0
Duration of the scan process 01:09:04

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-2754133635-4162189527-2521187120-500u.log Object is locked skipped
C:\Documents and Settings\Cece Bulkley\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cece Bulkley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cece Bulkley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cece Bulkley\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cece Bulkley\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cece Bulkley\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cece Bulkley\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Dell\QuickSet\quickset.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\5F.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\86.tmp Infected: Backdoor.Win32.Agent.dbm skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\9C.tmp Infected: Backdoor.Win32.Agent.dbm skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\BF.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\C1.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\C3.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\C5.tmp Infected: Backdoor.Win32.Agent.dbm skipped
C:\QooBox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Spyware Doctor\SDTrayApp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Trend Micro\Internet Security 14\pccguide.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\Program Files\TrojanHunter 5.0\THGuard.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuts.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\change.log Object is locked skipped
C:\VundoFix Backups\ctfmon.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\VundoFix Backups\vtuts.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu72.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8CF1ACBD-C4B1-4B3B-B83F-F98FAD364D88}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:56 PM

Posted 08 January 2008 - 04:33 PM

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\mrofinu72.exe.tmp



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
In that case, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log (where "********_******" is the "date_time")



Please post a new log from Combofix.
Let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 09 January 2008 - 12:41 AM

File/Folder C:\Program Files\Dell\QuickSet\quickset.exe not found.
File/Folder C:\WINDOWS\mrofinu72.exe.tmp not found.

Created on 01/08/2008 19:32:06


ComboFix 08-01-04.1 - Cece Bulkley 2008-01-08 19:34:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.339 [GMT -10:00]
Running from: C:\Documents and Settings\Cece Bulkley\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 19:31 . 2008-01-08 19:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-07 20:03 . 2008-01-07 20:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-07 20:03 . 2008-01-07 20:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-01-07 19:43 . 2007-12-27 14:57 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-07 19:43 . 2007-12-27 14:57 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-07 19:43 . 2007-12-27 14:58 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-07 19:43 . 2008-01-05 19:41 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-07 19:43 . 2008-01-05 19:41 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-06 18:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 19:44 . 2008-01-05 20:17 <DIR> d-------- C:\VundoFix Backups
2008-01-05 15:08 . 2008-01-05 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-01-05 14:04 . 2008-01-07 10:26 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-05 12:36 . 2008-01-05 12:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-04 21:09 . 2008-01-07 19:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-04 21:09 . 2008-01-04 21:09 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\PC Tools
2008-01-04 21:09 . 2008-01-04 21:09 <DIR> d-------- C:\DOCUME~1\CECEBU~1\APPLIC~1\PC Tools
2008-01-04 21:09 . 2008-01-08 19:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-01-04 21:09 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-04 21:09 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-04 21:09 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-04 21:09 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-04 21:09 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-04 21:07 . 2008-01-07 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-01-04 12:59 . 2008-01-04 12:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-02 11:06 . 2008-01-02 18:57 1,031,467 ---hs---- C:\WINDOWS\system32\txtytdad.ini
2008-01-02 11:04 . 2008-01-02 11:05 1,031,791 ---hs---- C:\WINDOWS\system32\rbcdsbqg.ini
2007-12-31 13:25 . 2008-01-02 11:05 1,031,990 ---hs---- C:\WINDOWS\system32\scfhldjt.ini
2007-12-31 13:22 . 2007-12-31 13:22 1,031,671 ---hs---- C:\WINDOWS\system32\fpihcyak.ini
2007-12-29 15:16 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-12-29 15:16 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\dllcache\slip.sys
2007-12-29 12:04 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-12-29 12:04 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-12-29 12:04 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-12-29 12:04 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-12-29 12:04 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-12-29 12:04 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys
2007-12-29 12:02 . 2007-12-29 12:02 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\InstallShield
2007-12-29 12:02 . 2007-12-29 12:02 <DIR> d-------- C:\DOCUME~1\CECEBU~1\APPLIC~1\InstallShield
2007-12-29 12:02 . 2007-03-24 17:27 26,240 --a------ C:\WINDOWS\system32\drivers\Camd8080.sys
2007-12-29 12:02 . 2007-03-24 17:27 16,640 --a------ C:\WINDOWS\system32\drivers\Capt8080.sys
2007-12-28 11:07 . 2007-12-31 13:22 1,031,611 ---hs---- C:\WINDOWS\system32\ehiitedp.ini
2007-12-28 10:58 . 2007-12-28 10:58 1,031,139 ---hs---- C:\WINDOWS\system32\pfvqfnqn.ini
2007-12-27 22:01 . 2007-12-27 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-12-27 22:01 . 2006-11-09 16:04 73,288 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-27 21:51 . 2007-12-27 21:51 1,024 --a------ C:\WINDOWS\system32\drivers\2DFBE721-DFD9-42C6-881B-48D01F63AD5F.cxv
2007-12-27 21:37 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-12-27 21:37 . 2006-11-09 16:04 280,392 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-27 21:37 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-27 21:37 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-27 14:46 . 2007-12-27 14:47 84,349,774 --a------ C:\reg_backup.reg
2007-12-27 13:33 . 2008-01-06 12:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-12-27 12:43 . 2007-12-27 12:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 12:43 . 2007-12-27 12:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-12-27 12:41 . 2007-12-27 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 11:33 . 2007-12-27 11:34 4,096 --a------ C:\WINDOWS\system32\drivers\0D75B75B-C895-4704-9C5E-D0894BD38A46.cxv
2007-12-27 11:28 . 2007-12-27 21:56 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-27 11:28 . 2007-12-27 11:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-27 11:28 . 2007-12-27 21:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-12-26 16:28 . 2007-12-26 16:28 <DIR> d-------- C:\Program Files\MyWaySA
2007-12-26 15:55 . 2007-12-26 15:55 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\AdwareAlert
2007-12-26 15:55 . 2007-12-26 15:55 <DIR> d-------- C:\DOCUME~1\CECEBU~1\APPLIC~1\AdwareAlert
2007-12-26 15:54 . 2007-12-26 16:27 <DIR> d-------- C:\Program Files\AdwareAlert
2007-12-20 09:54 . 2007-12-20 09:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 05:43 --------- d-----w C:\Program Files\DellSupport
2008-01-08 05:43 --------- d-----w C:\Program Files\Apoint
2008-01-07 20:29 --------- d-----w C:\Program Files\Common Files\Real
2008-01-07 04:58 --------- d-----w C:\Program Files\QuickTime
2008-01-06 07:11 --------- d-----w C:\Program Files\Trend Micro
2008-01-05 07:07 --------- d-----w C:\Program Files\Google
2008-01-03 21:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-01 01:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:01 --------- d--ha-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-12-27 22:33 --------- d-----w C:\Program Files\Plaxo
2007-12-27 09:01 131 ----a-w C:\Program Files\uninstall.log
2007-12-22 20:11 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 03:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 03:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 20:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-03 00:21 110,264 -c--a-w C:\Documents and Settings\Cece Bulkley\Application Data\GDIPFONTCACHEV1.DAT
2007-10-03 00:21 110,264 -c--a-w C:\DOCUME~1\CECEBU~1\APPLIC~1\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_19.05.06.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-28 00:58:01 127,035 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
+ 2005-05-24 22:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-30 01:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-30 01:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-28 00:57:46 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200bd1a8-c556-4c41-8f40-6d751a7f9773}]
C:\WINDOWS\system32\cambbcrr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-06 11:31 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-05 19:41 15360]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2008-01-06 11:31 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-27 14:58 77824]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2008-01-06 11:29 1807960]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-06 18:38 1065288]

C:\Documents and Settings\Cece Bulkley\Start Menu\Programs\Startup\
Registration-Studio 8.lnk - C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe [2007-07-02 20:31:15]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2005-07-18 14:22:11]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-11 21:54:10]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-04 21:07:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

C:\DOCUME~1\CECEBU~1\STARTM~1\Programs\Startup\
Registration-Studio 8.lnk - C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe [2007-07-02 20:31:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 11:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"NProtectService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)

S3 SQTECH913D;Photo Frame;C:\WINDOWS\system32\Drivers\Capt8080.sys [2007-03-24 17:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3ea7a48-73a1-11dc-be05-0080c81f098f}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 19:38:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 19:40:19
ComboFix-quarantined-files.txt 2008-01-09 05:39:56
ComboFix2.txt 2008-01-07 05:05:27
.
2007-12-22 00:07:27 --- E O F ---

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:56 PM

Posted 09 January 2008 - 09:10 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\txtytdad.ini
C:\WINDOWS\system32\rbcdsbqg.ini
C:\WINDOWS\system32\scfhldjt.ini
C:\WINDOWS\system32\fpihcyak.ini
C:\WINDOWS\system32\ehiitedp.ini
C:\WINDOWS\system32\pfvqfnqn.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200bd1a8-c556-4c41-8f40-6d751a7f9773}]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 ceceb

ceceb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 09 January 2008 - 02:44 PM

ComboFix 08-01-04.1 - Cece Bulkley 2008-01-09 9:31:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -10:00]
Running from: C:\Documents and Settings\Cece Bulkley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cece Bulkley\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ehiitedp.ini
C:\WINDOWS\system32\fpihcyak.ini
C:\WINDOWS\system32\pfvqfnqn.ini
C:\WINDOWS\system32\rbcdsbqg.ini
C:\WINDOWS\system32\scfhldjt.ini
C:\WINDOWS\system32\txtytdad.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ehiitedp.ini
C:\WINDOWS\system32\fpihcyak.ini
C:\WINDOWS\system32\pfvqfnqn.ini
C:\WINDOWS\system32\rbcdsbqg.ini
C:\WINDOWS\system32\scfhldjt.ini
C:\WINDOWS\system32\txtytdad.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-07 20:03 . 2008-01-07 20:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-07 20:03 . 2008-01-07 20:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-01-07 19:43 . 2007-12-27 14:57 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-07 19:43 . 2007-12-27 14:57 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-07 19:43 . 2007-12-27 14:58 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-07 19:43 . 2008-01-05 19:41 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-07 19:43 . 2008-01-05 19:41 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-06 18:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 19:44 . 2008-01-05 20:17 <DIR> d-------- C:\VundoFix Backups
2008-01-05 15:08 . 2008-01-05 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-01-05 14:04 . 2008-01-07 10:26 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-05 12:36 . 2008-01-05 12:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-04 21:09 . 2008-01-07 19:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-04 21:09 . 2008-01-04 21:09 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\PC Tools
2008-01-04 21:09 . 2008-01-09 09:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-01-04 21:09 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-04 21:09 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-04 21:09 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-04 21:09 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-04 21:09 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-04 21:07 . 2008-01-09 09:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-01-04 12:59 . 2008-01-04 12:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-29 15:16 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-12-29 15:16 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\dllcache\slip.sys
2007-12-29 12:04 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-12-29 12:04 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-12-29 12:04 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-12-29 12:04 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-12-29 12:04 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-12-29 12:04 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys
2007-12-29 12:02 . 2007-12-29 12:02 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\InstallShield
2007-12-29 12:02 . 2007-03-24 17:27 26,240 --a------ C:\WINDOWS\system32\drivers\Camd8080.sys
2007-12-29 12:02 . 2007-03-24 17:27 16,640 --a------ C:\WINDOWS\system32\drivers\Capt8080.sys
2007-12-27 22:01 . 2007-12-27 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-12-27 22:01 . 2006-11-09 16:04 73,288 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-27 21:51 . 2007-12-27 21:51 1,024 --a------ C:\WINDOWS\system32\drivers\2DFBE721-DFD9-42C6-881B-48D01F63AD5F.cxv
2007-12-27 21:37 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-12-27 21:37 . 2006-11-09 16:04 280,392 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-27 21:37 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-27 21:37 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-27 14:46 . 2007-12-27 14:47 84,349,774 --a------ C:\reg_backup.reg
2007-12-27 13:33 . 2008-01-06 12:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-12-27 12:43 . 2007-12-27 12:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 12:43 . 2007-12-27 12:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-12-27 12:41 . 2007-12-27 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 11:33 . 2007-12-27 11:34 4,096 --a------ C:\WINDOWS\system32\drivers\0D75B75B-C895-4704-9C5E-D0894BD38A46.cxv
2007-12-27 11:28 . 2007-12-27 21:56 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-27 11:28 . 2007-12-27 11:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-27 11:28 . 2007-12-27 21:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-12-26 16:28 . 2007-12-26 16:28 <DIR> d-------- C:\Program Files\MyWaySA
2007-12-26 15:55 . 2007-12-26 15:55 <DIR> d-------- C:\Documents and Settings\Cece Bulkley\Application Data\AdwareAlert
2007-12-26 15:54 . 2007-12-26 16:27 <DIR> d-------- C:\Program Files\AdwareAlert
2007-12-20 09:54 . 2007-12-20 09:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 05:43 --------- d-----w C:\Program Files\DellSupport
2008-01-08 05:43 --------- d-----w C:\Program Files\Apoint
2008-01-07 20:29 --------- d-----w C:\Program Files\Common Files\Real
2008-01-07 04:58 --------- d-----w C:\Program Files\QuickTime
2008-01-06 07:11 --------- d-----w C:\Program Files\Trend Micro
2008-01-05 07:07 --------- d-----w C:\Program Files\Google
2008-01-03 21:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-01 01:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:01 --------- d--ha-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-12-27 22:33 --------- d-----w C:\Program Files\Plaxo
2007-12-27 09:01 131 ----a-w C:\Program Files\uninstall.log
2007-12-22 20:11 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 03:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 03:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 20:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-03 00:21 110,264 -c--a-w C:\Documents and Settings\Cece Bulkley\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_19.05.06.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-28 00:58:01 127,035 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2005-05-24 22:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-30 01:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-30 01:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-28 00:57:46 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-06 11:31 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-05 19:41 15360]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2008-01-06 11:31 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-27 14:58 77824]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2008-01-06 11:29 1807960]

C:\Documents and Settings\Cece Bulkley\Start Menu\Programs\Startup\
Registration-Studio 8.lnk - C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe [2007-07-02 20:31:15]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2005-07-18 14:22:11]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-11 21:54:10]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-04 21:07:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 11:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"NProtectService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)

S3 SQTECH913D;Photo Frame;C:\WINDOWS\system32\Drivers\Capt8080.sys [2007-03-24 17:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3ea7a48-73a1-11dc-be05-0080c81f098f}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 09:35:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 9:36:22
ComboFix-quarantined-files.txt 2008-01-09 19:36:00
ComboFix2.txt 2008-01-09 05:40:20
ComboFix3.txt 2008-01-07 05:05:27
.
2008-01-09 06:58:59 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:39 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7859 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users