Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Pop Up Ad New Redirection To Url


  • Please log in to reply
7 replies to this topic

#1 maza

maza

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 10 January 2008 - 09:36 PM

Hell Eveyone
Much thanks for the good guys who help alot in this community.I have this problem and tried to solved different ways but no luck yet.New IE pop up keep coming, below is my highjack this along with combofix.I tried VundoFix also and the files that detected as follow.
C:\windows32\gebya.dll
c:windows32\aybeg.ini2
c:\windos32\aybeg.ini
I also tried vitumondbegone.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:34, on 2008-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic Professional 7\IoloSGCtrl.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter .exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\stng260.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV .exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 7\IoloSGCtrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 8996 bytes

Here is combFix log

ComboFix 08-01-10.2 - maryam 2008-01-11 10:30:08.2 - NTFSx86
Running from: C:\Documents and Settings\maryam\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\sguard.dll

/wow section - STAGE 30A

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 11:32 . 2008-01-11 11:32 <DIR> d-------- C:\Temp\tn3
2008-01-10 19:50 . 2008-01-10 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 19:49 . 2008-01-11 11:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-10 19:49 . 2008-01-10 19:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 19:49 . 2008-01-10 19:49 <DIR> d-------- C:\Documents and Settings\maryam\Application Data\SUPERAntiSpyware.com
2008-01-08 23:28 . 2008-01-08 23:33 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-08 22:53 . 2008-01-08 23:32 <DIR> d-------- C:\VundoFix Backups
2008-01-08 19:23 . 2008-01-11 10:42 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-08 15:04 . 2008-01-08 15:05 <DIR> d-------- C:\Program Files\Crawler
2008-01-08 15:04 . 2008-01-09 17:39 <DIR> d-------- C:\Documents and Settings\maryam\Application Data\Spyware Terminator
2008-01-08 15:04 . 2008-01-08 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-08 15:03 . 2008-01-11 11:37 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-08 13:10 . 2008-01-10 23:49 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-07 20:30 . 2008-01-11 10:49 <DIR> d-------- C:\Documents and Settings\maryam\Application Data\ComcastToolbar
2008-01-07 19:40 . 2008-01-07 19:40 54,033 --a------ C:\WINDOWS\system32\memouint.exe
2008-01-07 19:38 . 2008-01-07 19:38 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-07 19:38 . 2008-01-07 19:39 <DIR> d-------- C:\Temp\cEeer12
2008-01-01 20:46 . 2008-01-01 20:46 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-12-22 18:14 . 2007-12-22 18:14 79 --a------ C:\WINDOWS\ASYM.INI
2007-12-15 21:28 . 2007-12-15 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-13 15:27 . 2007-12-13 15:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\iolo
2007-12-13 15:07 . 2007-12-13 15:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 16:36 345,088 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-11 16:34 324,608 ----a-w C:\WINDOWS\system32\gebya.dll
2008-01-11 16:31 932 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-11 01:31 --------- d-----w C:\Program Files\Trend Micro
2008-01-09 03:20 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-01-08 01:32 --------- d-----w C:\Program Files\ComcastToolbar
2008-01-08 00:39 86,016 ----a-w C:\WINDOWS\system32\drivers\pciidexx.sys
2008-01-02 20:36 434,848 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-12-27 13:37 425,984 ----a-w C:\WINDOWS\system32\memosjop.dll
2007-12-20 02:29 --------- d-----w C:\Program Files\MP3-Xtreme
2007-12-16 01:52 --------- d-----w C:\Documents and Settings\maryam\Application Data\BitZipper
2007-12-14 22:13 23,040 ----a-w C:\WINDOWS\system32\smrgdf.exe
2007-12-13 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-13 17:25 139,264 ----a-w C:\WINDOWS\system32\mobjchku.exe
2007-12-11 18:14 151,552 ----a-w C:\WINDOWS\system32\rushxtlc.exe
2007-12-11 18:14 151,552 ----a-w C:\WINDOWS\system32\bkmoopob.exe
2007-12-04 20:02 --------- d-----w C:\Program Files\Learn2.com
2007-12-04 20:02 --------- d-----w C:\Documents and Settings\maryam\Application Data\Learn2.com
2007-12-04 02:47 286,720 ----a-w C:\WINDOWS\iun507.exe
2007-11-29 20:23 --------- d-----w C:\Documents and Settings\maryam\Application Data\MegauploadToolbar
2007-11-29 20:22 --------- d-----w C:\Program Files\MegauploadToolbar
2007-11-21 03:34 35,840 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2007-11-21 02:14 --------- d-----w C:\Program Files\ACW
2007-11-21 00:14 668,160 ----a-w C:\WINDOWS\is-84F00.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 00:55 668,160 ----a-w C:\WINDOWS\is-105TN.exe
2007-11-01 23:47 668,160 ----a-w C:\WINDOWS\is-PLOCR.exe
2007-10-31 20:16 68,296 -c--a-w C:\Documents and Settings\maryam\Application Data\GDIPFONTCACHEV1.DAT
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-12-24 02:34 8,192 ----a-r C:\Documents and Settings\maryam\eacsnd.dll
1997-09-04 15:13 961,536 ----a-w C:\Documents and Settings\maryam\nfs2sea.exe
1997-09-03 12:03 127,488 ----a-r C:\Documents and Settings\maryam\DSETUP.DLL
1995-06-25 01:53 74,068 ----a-w C:\Documents and Settings\maryam\SLICKS.EXE
1995-05-31 23:20 16,363 -c--a-w C:\Documents and Settings\maryam\SSHELP.EXE
1995-05-21 16:08 26,909 -c--a-w C:\Documents and Settings\maryam\SLICKS.DAT
2005-12-26 03:49 514,601 -csha-w C:\WINDOWS\system32\bbeeg.bak1
2006-01-04 23:34 495,901 -csha-w C:\WINDOWS\system32\bbeeg.bak2
2006-01-05 12:25 498,882 -csha-w C:\WINDOWS\system32\bbeeg.ini2
.
<pre>
----a-w		   210,112 2008-01-11 16:34:34  C:\Program Files\BillP Studios\WinPatrol\WinPatrol .exe
----a-w		   151,552 2008-01-09 03:18:27  C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient .exe
----a-w		   830,112 2008-01-09 23:24:41  C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer .exe
----a-w		   483,488 2008-01-11 16:34:38  C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter .exe
----a-w		 1,183,072 2008-01-11 12:20:57  C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV	  .exe
----a-w		 1,547,264 2008-01-11 12:19:43  C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV	 .exe
----a-w		 1,183,072 2008-01-11 13:34:29  C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV	.exe
----a-w		 1,183,072 2008-01-11 00:24:48  C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV   .exe
------w		 1,183,072 2008-01-11 00:24:58  C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV  .exe
----a-w		 1,368,416 2008-01-11 12:21:16  C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW	  .exe
----a-w		 1,732,608 2008-01-11 12:20:05  C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW	 .exe
----a-w		 1,368,416 2008-01-11 13:34:51  C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW	.exe
----a-w		 1,368,416 2008-01-11 00:25:13  C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW   .exe
----a-w		 1,368,416 2008-01-11 00:25:25  C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW  .exe
----a-w		 2,834,432 2008-01-11 16:35:04  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w		 1,318,912 2008-01-11 16:34:55  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   158,208 2008-01-09 03:20:58  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w			15,360 2008-01-11 04:49:24  C:\WINDOWS\system32\ctfmon .exe
</pre>

Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_19.14.52.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-11 00:50:34 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-11 00:50:32 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-11 00:50:37 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA6C4CD7-ADDA-4311-8D42-E95840B3C811}]
2008-01-11 11:34 324608 --a------ C:\WINDOWS\system32\gebya.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-11 07:19 1760768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [2008-01-11 07:19 616448]
"SystemGuardAlerter"="C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe" [2008-01-11 07:19 835584]
"iolo AntiVirus"="C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV .exe" [2008-01-11 07:20 1183072]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-11 07:19 3190784]
"iolo Personal Firewall"="C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW .exe" [2008-01-11 07:21 1368416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-05-18 17:43:44]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\gebya.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\gebya

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"PCCPFW"=2 (0x2)

R0 XPacket;iolo Personal Firewall Driver;C:\WINDOWS\system32\xpacket.sys [2007-05-18 15:08]
R1 pciidexx;pciidexx;C:\WINDOWS\system32\drivers\pciidexx.sys [2008-01-07 19:39]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-08 23:33]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-07-20 11:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 01:26:18 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-11 16:36:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2002-12-24 00:34:12 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 11:34:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\aybeg.ini 319 bytes
C:\WINDOWS\system32\aybeg.ini2 319 bytes
C:\WINDOWS\system32\gebya.exe 328192 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\iolo\Common\Lib\sguard.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\iolo\Common\Lib\sguard.dll
.
Completion time: 2008-01-11 11:44:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 16:44:01
ComboFix2.txt 2008-01-11 00:18:14
.
2007-12-26 01:37:25 --- E O F ---

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:02 AM

Posted 13 January 2008 - 04:47 PM

Hi maza
Sorry for the delay in answering your post.
If you still need help could you please post back a new Hjt log.... things change so quickly and we need to see what's happening now.
Thanks

Starbuck

BBPP6nz.png


#3 maza

maza
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 13 January 2008 - 05:07 PM

Thanks for the reply Starbuck(The greatest coffee on earth)
Here is log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:43 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic Professional 7\IoloSGCtrl.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 7\IoloSGCtrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 9267 bytes

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:02 AM

Posted 13 January 2008 - 05:26 PM

Hi maza,

Starbuck(The greatest coffee on earth)

But of course :thumbsup:

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Starbuck

BBPP6nz.png


#5 maza

maza
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 13 January 2008 - 05:41 PM

Got it.

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:02 AM

Posted 14 January 2008 - 01:06 PM

Hi maza

I see from your 1st post that you have already run ComboFix
As you can see from this:

The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\sguard.dll

It is not a program to run without supervision. It has to be run properly.

Please delete the previous copy of ComboFix.
Now you need to install the latest version:

There are full instructions on how to download and run ComboFix here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I would strongly suggest that you read it completely first and follow all instructions to the letter.

After Combofix has completed please post the combofix.txt as a reply to this post along with a new Hjt log.

Thanks

BBPP6nz.png


#7 maza

maza
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 22 January 2008 - 05:08 PM

Here is the logs
ComboFix 08-01-23.1 - maryam 2008-01-22 16:11:02.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.455 [GMT -5:00]
Running from: C:\Documents and Settings\maryam\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\sguard.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 16:25 . 2008-01-23 16:25 <DIR> d-------- C:\Temp\tn3
2008-01-20 18:06 . 2008-01-22 13:28 250 --a------ C:\WINDOWS\gmer.ini
2008-01-19 14:54 . 2008-01-19 14:54 <DIR> d-------- C:\Deckard
2008-01-11 23:30 . 2008-01-11 23:30 <DIR> d-------- C:\Temp\Ryuan1
2008-01-11 22:39 . 2008-01-11 22:39 <DIR> d-------- C:\spoolerlogs
2008-01-11 18:47 . 2008-01-11 18:47 401,720 --a------ C:\seek.exe
2008-01-11 17:24 . 2008-01-20 20:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 17:24 . 2008-01-11 17:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 14:12 . 2008-01-11 14:12 65,201 --a------ C:\msconfig_xp.zip
2008-01-11 09:14 . 2008-01-11 09:14 1,144,839 --a------ C:\stng260.exe
2008-01-11 09:06 . 2008-01-15 17:42 26,734 --a------ C:\WINDOWS\system32\.dmp
2008-01-11 08:42 . 2008-01-15 18:36 4,831,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-11 08:42 . 2008-01-15 18:36 67,868 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-11 08:42 . 2008-01-15 18:36 37,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-11 08:42 . 2008-01-15 18:36 6,644 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-11 08:36 . 2008-01-11 08:36 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-11 08:34 . 2008-01-11 08:34 <DIR> d-------- C:\KAV
2008-01-11 06:30 . 2008-01-11 06:30 14,463,048 --a------ C:\TrojanHunterSetup.exe
2008-01-10 19:49 . 2008-01-20 10:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-10 19:49 . 2008-01-10 19:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 23:28 . 2008-01-08 23:33 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-08 22:53 . 2008-01-11 23:55 <DIR> d-------- C:\VundoFix Backups
2008-01-08 19:23 . 2008-01-20 18:41 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-08 19:07 . 2008-01-08 22:20 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-08 15:04 . 2008-01-08 15:05 <DIR> d-------- C:\Program Files\Crawler
2008-01-08 15:03 . 2008-01-21 15:25 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-07 19:40 . 2008-01-07 19:40 54,033 --a------ C:\WINDOWS\system32\memouint.exe
2008-01-07 19:39 . 2008-01-07 19:39 <DIR> d-------- C:\WINDOWS\system32\winz0
2008-01-07 19:39 . 2008-01-08 18:11 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-07 19:39 . 2008-01-07 19:39 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-07 19:39 . 2008-01-07 19:39 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-07 19:39 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushxtlc.exe
2008-01-07 19:39 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-07 19:39 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-07 19:39 . 2008-01-07 19:39 86,016 --a------ C:\WINDOWS\system32\drivers\pciidexx.sys
2008-01-07 19:39 . 2008-01-23 16:24 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-07 19:38 . 2008-01-10 19:30 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-07 19:38 . 2008-01-07 19:39 <DIR> d-------- C:\Temp\cEeer12
2008-01-01 20:46 . 2008-01-01 20:46 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 01:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 22:30 --------- d-----w C:\Program Files\temp
2008-01-11 01:31 --------- d-----w C:\Program Files\Trend Micro
2008-01-08 01:32 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-20 02:29 --------- d-----w C:\Program Files\MP3-Xtreme
2007-12-04 20:02 --------- d-----w C:\Program Files\Learn2.com
2007-12-04 02:47 286,720 ----a-w C:\WINDOWS\iun507.exe
2007-11-29 20:22 --------- d-----w C:\Program Files\MegauploadToolbar
2007-11-21 00:14 668,160 ----a-w C:\WINDOWS\is-84F00.exe
2007-11-13 00:55 668,160 ----a-w C:\WINDOWS\is-105TN.exe
2007-11-01 23:47 668,160 ----a-w C:\WINDOWS\is-PLOCR.exe
.

((((((((((((((((((((((((((((( snapshot_2008-01-19_19.58.56.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-10-27 17:06:30 49,152 ----a-w C:\WINDOWS\Downloaded Program Files\VaioInfo.dll
- 2008-01-20 00:32:45 266,240 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 21:09:52 266,240 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 00:32:45 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 21:09:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 00:32:46 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 21:09:52 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 00:32:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 21:09:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 00:32:48 8,642,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-22 21:09:53 8,630,272 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 00:32:48 135,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 21:09:53 135,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 23:06:10 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 14:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1684\_PerfCounter.dll
+ 2008-01-09 03:20:58 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
+ 2008-01-20 23:06:10 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-11 23:59 1318912]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [ ]
"SystemGuardAlerter"="C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe" [2008-01-11 23:59 483488]
"iolo AntiVirus"="C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe" [2008-01-10 19:24 1183072]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-11 11:59 2834432]
"iolo Personal Firewall"="C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-05-18 17:43:44 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"PCCPFW"=2 (0x2)

R0 XPacket;iolo Personal Firewall Driver;C:\WINDOWS\system32\xpacket.sys [2007-05-18 15:08]
R1 pciidexx;pciidexx;C:\WINDOWS\system32\drivers\pciidexx.sys [2008-01-07 19:39]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-08 23:33]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-07-20 11:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 01:26:18 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-23 21:28:26 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2002-12-24 00:34:12 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 16:27:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\iolo\Common\Lib\sguard.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\iolo\Common\Lib\sguard.dll
-> C:\WINDOWS\system32\iavlsp.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\iolo\Common\Lib\sguard.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\iolo\Common\Lib\sguard.dll
.
Completion time: 2008-01-23 16:36:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 21:36:42
ComboFix2.txt 2008-01-20 22:42:18
ComboFix3.txt 2008-01-20 00:59:46
ComboFix4.txt 2008-01-15 21:35:34
ComboFix5.txt 2008-01-13 20:12:45
.
2008-01-20 03:14:02 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:48 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\System Mechanic Professional 7\IoloSGCtrl.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 7\IoloSGCtrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 9484 bytes

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:02 AM

Posted 23 January 2008 - 04:12 PM

Maza

I cannot stress enough just how powerful ComboFix is and must be run properly under supervision
Not only so that it can function correctly, but also to safe guard your computer.
Incorrect use can do a lot of damage.
The 1st ComboFix report you submitted shows it was a 2nd run.
Your next report shows it was the 8th time it had been run!
Why are you running this program when not asked to?

I asked you to follow the instructions to the letter........
but as you can see your iolo software was still running.

The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\sguard.dll

The tutorial clearly states:

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

I had mentioned this before to you.

The report shows.......
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
The tutorial clearly states that:

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

In other words... this could be your only failsafe if things go belly up.

You have a serious infection on your computer and we'll only be able to remove it if you follow my instructions completely.

All the helpers here give their time freely.... all we ask is that you follow our instructions correctly.
Can you please acknowledge these points and let me know if you want my help to continue.

Starbuck.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users