Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Analyze Hjt - Popups Galore.. Thank You!


  • This topic is locked This topic is locked
18 replies to this topic

#1 ibinjacked

ibinjacked

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 18 January 2008 - 01:33 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26, on 2008-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Documents and Settings\saxxest\Desktop\malware-virus\ShwMe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2052111302-1336601894-839522115-1012\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200107173078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200107404156
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {D28CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7661 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 18 January 2008 - 07:59 PM

Hello ibinjacked,

Welcome to Bleeping Computer :thumbsup:

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (Kaspersky and Avast!) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable the other one, and use it as an on demand only scan occasionally. I also see remnants of McAfee. Did you try to uninstall it at some point?

We need to disable Spysweeper Shields:

To disable SpySweeper Shields
  • Open SpySweeper.
  • Click Shield Settings on the right
    (or Shields on the left, depending what screen you're on).
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Hosts File and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Close SpySweeper.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 19 January 2008 - 02:58 AM

Hi Tea-Cee,

I still have McAfee. I did (today) uninstall avast anti-virus and spy sweeper. Here is my CFix log followed by HJT log... thanks for your help!

-------------------
ComboFix 08-01-18.5 - saxxest 2008-01-18 19:17:11.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.640 [GMT -8:00]
Running from: C:\Documents and Settings\saxxest\Desktop\malware-virus\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 19:20 . 2008-01-18 19:20 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-18 19:18 . 2008-01-18 19:18 <DIR> d-------- C:\Temp\tn3
2008-01-18 18:07 . 2008-01-18 18:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-18 18:05 . 2008-01-18 18:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 23:51 . 2008-01-17 23:51 106 --a------ C:\delete.bat
2008-01-17 23:31 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-17 23:31 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\Program Files\Sygate
2008-01-17 23:30 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-17 22:44 . 2008-01-17 22:44 <DIR> d-------- C:\Deckard
2008-01-17 22:35 . 2008-01-18 01:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SUPERAntiSpyware.com
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-16 19:22 . 2008-01-16 19:22 0 --a------ C:\WINDOWS\pestpatrol5.INI
2008-01-15 21:39 . 2008-01-15 21:40 <DIR> d-------- C:\hjt
2008-01-15 21:32 . 2008-01-15 21:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 19:10 . 2008-01-18 18:25 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-11 19:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-11 19:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 19:11 . 2008-01-18 17:18 512 --a------ C:\WINDOWS\randseed.rnd
2008-01-10 00:04 . 2008-01-17 23:10 4,886,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 00:04 . 2008-01-17 23:10 220,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-10 00:04 . 2008-01-17 23:10 66,524 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 00:04 . 2008-01-17 23:10 21,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-10 00:02 . 2008-01-10 00:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-10 00:02 . 2008-01-16 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-10 00:01 . 2008-01-10 00:01 <DIR> d-------- C:\KAV
2008-01-09 22:24 . 2008-01-10 19:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-09 20:46 . 2008-01-09 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 20:45 . 2008-01-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 23:45 . 2008-01-08 23:53 <DIR> d-------- C:\Documents and Settings\saxxest\.housecall6.6
2008-01-08 23:45 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 23:34 . 2008-01-07 23:34 2,335,270 --a------ C:\WINDOWS\system32\54d2D.mht
2008-01-07 23:34 . 2008-01-07 23:34 128,352 --a------ C:\WINDOWS\system32\c562E.dll
2008-01-07 23:34 . 2008-01-07 23:34 54,624 --a------ C:\WINDOWS\system32\c562E.sys
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 01:55 . 2008-01-07 01:55 2,335,270 --a------ C:\WINDOWS\system32\7a053.mht
2008-01-07 01:55 . 2008-01-07 01:55 128,352 --a------ C:\WINDOWS\system32\f0654.dll
2008-01-07 01:55 . 2008-01-07 01:55 54,624 --a------ C:\WINDOWS\system32\f0654.sys
2008-01-07 01:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 01:17 . 2008-01-10 03:14 <DIR> d-------- C:\VundoFix Backups
2008-01-07 00:36 . 2008-01-18 23:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 00:31 . 2008-01-07 00:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-06 22:36 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-06 22:35 . 2008-01-06 22:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-06 22:32 . 2008-01-06 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 22:17 . 2008-01-06 22:17 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-06 21:57 . 2004-08-04 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-06 21:55 . 2004-08-04 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-06 21:54 . 2004-08-04 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-06 21:53 . 2004-08-04 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-06 21:52 . 2004-08-04 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-06 21:51 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-06 19:20 . 2008-01-17 23:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-06 19:17 . 2008-01-18 23:42 2,422 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-06 16:05 . 2008-01-07 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\winz7
2008-01-06 16:01 . 2008-01-10 03:38 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 16:01 . 2008-01-08 22:37 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 16:01 . 2008-01-10 22:26 <DIR> d--hs---- C:\WINDOWS\bXJuYw
2008-01-06 16:01 . 2008-01-06 16:01 86,016 --a------ C:\WINDOWS\system32\drivers\usb80233.sys
2008-01-06 16:01 . 54,764 C:\WINDOWS\system32\mp32s.sys
2008-01-06 16:00 . 2008-01-10 03:35 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2008-01-06 16:00 . 2008-01-18 19:18 <DIR> d-------- C:\Temp
2007-12-29 19:37 . 2007-12-30 17:41 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\BitTorrent
2007-12-29 19:36 . 2007-12-29 19:36 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\MySpace
2007-12-29 19:35 . 2007-12-29 19:35 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\Intel
2007-12-26 23:34 . 2008-01-06 16:00 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\BitTorrent
2007-12-26 23:28 . 2008-01-07 02:22 <DIR> d-------- C:\Program Files\DNA
2007-12-26 23:28 . 2008-01-06 15:58 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\DNA
2007-12-23 21:43 . 2007-12-23 21:43 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SlySoft
2007-12-23 19:45 . 2007-12-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 19:37 . 2007-12-23 19:38 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 19:37 . 2008-01-10 00:06 0 ---hs---- C:\WINDOWS\SB2F16C1D.tmp
2007-12-22 14:52 . 2007-12-22 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Disney
2007-12-22 14:45 . 2007-12-22 14:45 <DIR> d-------- C:\Program Files\Disney
2007-12-22 14:45 . 2008-01-08 23:18 <DIR> d-------- C:\Program Files\DIGStream
2007-12-22 14:45 . 2008-01-07 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream
2007-12-19 12:05 . 2007-12-19 12:05 97,216 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 01:40 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-01-19 01:37 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-18 09:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-01-14 07:10 --------- d-----w C:\Documents and Settings\saxxest\Application Data\dvdcss
2008-01-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 03:12 --------- d-----w C:\Program Files\Google
2008-01-10 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 04:46 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Lavasoft
2008-01-09 07:45 --------- d-----w C:\Program Files\Java
2008-01-09 07:19 --------- d-----w C:\Program Files\Plaxo
2008-01-09 07:18 --------- d-----w C:\Program Files\QuickTime Alternative
2008-01-09 07:18 --------- d-----w C:\Program Files\iTunes
2008-01-09 07:18 --------- d-----w C:\Program Files\Apoint
2008-01-05 07:12 --------- d-----w C:\Program Files\MxMonitor
2007-12-30 09:39 --------- d-----w C:\Program Files\pinochle
2007-12-28 06:06 --------- d-----w C:\Program Files\Native Instruments
2007-12-28 05:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-24 20:05 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Vidalia
2007-12-22 07:00 --------- d-----w C:\Program Files\audiograbber
2007-12-12 05:56 --------- d-----w C:\Program Files\Vidalia Bundle
2007-12-11 02:32 --------- d-----w C:\Program Files\Citrix
2007-12-06 02:25 --------- d-----w C:\Program Files\Magic Folders
2007-12-04 06:35 --------- d-----w C:\Documents and Settings\saxxest\Application Data\JAM Software
2007-11-22 05:02 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-11-19 05:13 --------- d-----w C:\Program Files\Canon
.
<pre>
----a-w		   313,472 2008-01-08 05:40:27  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			50,760 2008-01-08 05:40:20  C:\Program Files\Common Files\AOL\Launch\AOLLaunch .exe
----a-w		 2,229,248 2008-01-08 07:08:03  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-07 08:50:35  C:\Program Files\MySpace\IM\MySpaceIM .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-08 22:25 843776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-08 22:25 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-08 22:24 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-08 22:25 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-08 22:25 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2008-01-07 21:39 286720]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 00:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 04:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 22:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdj30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=3 (0x3)
"McAfeeFramework"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Norton Ghost"=2 (0x2)
"GEARSecurity"=2 (0x2)

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13]
R1 usb80233;usb80233;C:\WINDOWS\system32\drivers\usb80233.sys [2008-01-06 16:01]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2001-11-25 19:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 17711;17711;C:\WINDOWS\system32\17711.sys [2007-12-04 21:14]
S3 c562E;c562E;C:\WINDOWS\system32\c562E.sys [2008-01-07 23:34]
S3 DCALEXICO;DCALEXICO;C:\WINDOWS\system32\drivers\DCalexico.sys []
S3 f0654;f0654;C:\WINDOWS\system32\f0654.sys [2008-01-07 01:55]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2005-09-27 02:57]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 06:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 01:10:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 23:42:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys 50892 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
.
Completion time: 2008-01-18 23:48:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 07:47:56
ComboFix2.txt 2008-01-19 03:09:50
ComboFix3.txt 2008-01-09 16:18:52
ComboFix4.txt 2008-01-09 12:42:39
ComboFix5.txt 2008-01-09 08:22:12
------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:18 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\saxxest\Desktop\malware-virus\ShowMe.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200107173078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200107404156
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {D28CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6727 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 19 January 2008 - 10:18 AM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
Driver::
C:\WINDOWS\system32\drivers\usb80233.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 19 January 2008 - 03:44 PM

Hi Tea-Cee,

As an fyi.. This text below is being reported from my firewall software... doesn't look good!

The executable has changed since the last time you used: C:\WINDOWS\explorer.exe
File Version : 6.0.2900.3156
File Description : Windows Explorer
File Path : C:\WINDOWS\explorer.exe
Process ID : 0x33C (Heximal) 828 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.1.64
Local Port : 1043
Remote Name : www.in-t-e-r-n-e-t.com
Remote Address : 204.160.118.124
Remote Port : 80 (HTTP - World Wide Web)
---------------------------------------

Here's CF log followed by HJT log:
---------------------------------------


ComboFix 08-01-18.5 - saxxest 2008-01-19 12:16:51.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.682 [GMT -8:00]
Running from: C:\Documents and Settings\saxxest\Desktop\malware-virus\ComboFix.exe
Command switches used :: C:\Documents and Settings\saxxest\Desktop\malware-virus\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 12:28 . 2008-01-19 12:28 <DIR> d-------- C:\Temp\tn3
2008-01-19 12:26 . 2008-01-19 12:27 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-18 18:07 . 2008-01-18 18:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-18 18:05 . 2008-01-18 18:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 23:51 . 2008-01-17 23:51 106 --a------ C:\delete.bat
2008-01-17 23:31 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-17 23:31 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\Program Files\Sygate
2008-01-17 23:30 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-17 22:44 . 2008-01-17 22:44 <DIR> d-------- C:\Deckard
2008-01-17 22:35 . 2008-01-18 01:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SUPERAntiSpyware.com
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-16 19:22 . 2008-01-16 19:22 0 --a------ C:\WINDOWS\pestpatrol5.INI
2008-01-15 21:39 . 2008-01-15 21:40 <DIR> d-------- C:\hjt
2008-01-15 21:32 . 2008-01-15 21:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 19:10 . 2008-01-18 18:25 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-11 19:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-11 19:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 19:11 . 2008-01-18 17:18 512 --a------ C:\WINDOWS\randseed.rnd
2008-01-10 00:04 . 2008-01-19 12:25 5,144,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 00:04 . 2008-01-19 12:25 222,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-10 00:04 . 2008-01-19 12:25 69,980 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 00:04 . 2008-01-19 12:25 21,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-10 00:02 . 2008-01-10 00:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-10 00:02 . 2008-01-19 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-10 00:01 . 2008-01-10 00:01 <DIR> d-------- C:\KAV
2008-01-09 22:24 . 2008-01-10 19:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-09 20:46 . 2008-01-09 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 20:45 . 2008-01-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 23:45 . 2008-01-08 23:53 <DIR> d-------- C:\Documents and Settings\saxxest\.housecall6.6
2008-01-08 23:45 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 23:34 . 2008-01-07 23:34 2,335,270 --a------ C:\WINDOWS\system32\54d2D.mht
2008-01-07 23:34 . 2008-01-07 23:34 128,352 --a------ C:\WINDOWS\system32\c562E.dll
2008-01-07 23:34 . 2008-01-07 23:34 54,624 --a------ C:\WINDOWS\system32\c562E.sys
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 01:55 . 2008-01-07 01:55 2,335,270 --a------ C:\WINDOWS\system32\7a053.mht
2008-01-07 01:55 . 2008-01-07 01:55 128,352 --a------ C:\WINDOWS\system32\f0654.dll
2008-01-07 01:55 . 2008-01-07 01:55 54,624 --a------ C:\WINDOWS\system32\f0654.sys
2008-01-07 01:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 01:17 . 2008-01-10 03:14 <DIR> d-------- C:\VundoFix Backups
2008-01-07 00:36 . 2008-01-19 12:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 00:31 . 2008-01-07 00:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-06 22:36 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-06 22:35 . 2008-01-06 22:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-06 22:32 . 2008-01-06 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 22:17 . 2008-01-06 22:17 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-06 21:57 . 2004-08-04 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-06 21:55 . 2004-08-04 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-06 21:54 . 2004-08-04 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-06 21:53 . 2004-08-04 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-06 21:52 . 2004-08-04 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-06 21:51 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-06 19:20 . 2008-01-17 23:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-06 19:17 . 2008-01-19 12:27 2,422 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-06 16:05 . 2008-01-07 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\winz7
2008-01-06 16:01 . 2008-01-10 03:38 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 16:01 . 2008-01-08 22:37 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 16:01 . 2008-01-10 22:26 <DIR> d--hs---- C:\WINDOWS\bXJuYw
2008-01-06 16:01 . 2008-01-06 16:01 86,016 --a------ C:\WINDOWS\system32\drivers\usb80233.sys
2008-01-06 16:01 . 54,764 C:\WINDOWS\system32\mp32s.sys
2008-01-06 16:00 . 2008-01-10 03:35 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2008-01-06 16:00 . 2008-01-19 12:28 <DIR> d-------- C:\Temp
2007-12-29 19:37 . 2007-12-30 17:41 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\BitTorrent
2007-12-29 19:36 . 2007-12-29 19:36 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\MySpace
2007-12-29 19:35 . 2007-12-29 19:35 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\Intel
2007-12-26 23:34 . 2008-01-06 16:00 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\BitTorrent
2007-12-26 23:28 . 2008-01-07 02:22 <DIR> d-------- C:\Program Files\DNA
2007-12-26 23:28 . 2008-01-06 15:58 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\DNA
2007-12-23 21:43 . 2007-12-23 21:43 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SlySoft
2007-12-23 19:45 . 2007-12-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 19:37 . 2007-12-23 19:38 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 19:37 . 2008-01-10 00:06 0 ---hs---- C:\WINDOWS\SB2F16C1D.tmp
2007-12-22 14:52 . 2007-12-22 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Disney
2007-12-22 14:45 . 2007-12-22 14:45 <DIR> d-------- C:\Program Files\Disney
2007-12-22 14:45 . 2008-01-08 23:18 <DIR> d-------- C:\Program Files\DIGStream
2007-12-22 14:45 . 2008-01-07 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream
2007-12-19 12:05 . 2007-12-19 12:05 97,216 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 01:40 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-01-19 01:37 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-18 09:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-01-14 07:10 --------- d-----w C:\Documents and Settings\saxxest\Application Data\dvdcss
2008-01-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 03:12 --------- d-----w C:\Program Files\Google
2008-01-10 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 04:46 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Lavasoft
2008-01-09 07:45 --------- d-----w C:\Program Files\Java
2008-01-09 07:19 --------- d-----w C:\Program Files\Plaxo
2008-01-09 07:18 --------- d-----w C:\Program Files\QuickTime Alternative
2008-01-09 07:18 --------- d-----w C:\Program Files\iTunes
2008-01-09 07:18 --------- d-----w C:\Program Files\Apoint
2008-01-05 07:12 --------- d-----w C:\Program Files\MxMonitor
2007-12-30 09:39 --------- d-----w C:\Program Files\pinochle
2007-12-28 06:06 --------- d-----w C:\Program Files\Native Instruments
2007-12-28 05:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-24 20:05 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Vidalia
2007-12-22 07:00 --------- d-----w C:\Program Files\audiograbber
2007-12-12 05:56 --------- d-----w C:\Program Files\Vidalia Bundle
2007-12-11 02:32 --------- d-----w C:\Program Files\Citrix
2007-12-06 02:25 --------- d-----w C:\Program Files\Magic Folders
2007-12-04 06:35 --------- d-----w C:\Documents and Settings\saxxest\Application Data\JAM Software
2007-11-22 05:02 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-11-19 05:13 --------- d-----w C:\Program Files\Canon
.
<pre>
----a-w		   313,472 2008-01-08 05:40:27  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			50,760 2008-01-08 05:40:20  C:\Program Files\Common Files\AOL\Launch\AOLLaunch .exe
----a-w		 2,229,248 2008-01-08 07:08:03  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-07 08:50:35  C:\Program Files\MySpace\IM\MySpaceIM .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-18_19.09.33.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 20:16:44 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 02:54:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 20:16:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 20:16:44 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 02:54:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 20:16:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 02:54:34 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 20:16:44 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 02:54:34 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 20:16:45 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 20:16:45 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\NTUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-08 22:25 843776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-08 22:25 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-08 22:24 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-08 22:25 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-08 22:25 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2008-01-07 21:39 286720]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 00:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 04:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 22:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdj30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=3 (0x3)
"McAfeeFramework"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Norton Ghost"=2 (0x2)
"GEARSecurity"=2 (0x2)

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13]
R1 usb80233;usb80233;C:\WINDOWS\system32\drivers\usb80233.sys [2008-01-06 16:01]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2001-11-25 19:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 17711;17711;C:\WINDOWS\system32\17711.sys [2007-12-04 21:14]
S3 c562E;c562E;C:\WINDOWS\system32\c562E.sys [2008-01-07 23:34]
S3 DCALEXICO;DCALEXICO;C:\WINDOWS\system32\drivers\DCalexico.sys []
S3 f0654;f0654;C:\WINDOWS\system32\f0654.sys [2008-01-07 01:55]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2005-09-27 02:57]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 06:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 01:10:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 12:28:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys 50892 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
.
Completion time: 2008-01-19 12:32:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 20:32:42
ComboFix2.txt 2008-01-19 07:48:01
ComboFix3.txt 2008-01-19 03:09:50
ComboFix4.txt 2008-01-09 16:18:52
ComboFix5.txt 2008-01-09 12:42:39
------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:27 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\saxxest\Desktop\malware-virus\ShowMe.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200107173078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200107404156
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {D28CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6694 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 19 January 2008 - 06:25 PM

Hello,

I need for you to go offline and disable ALL your protection programs, then run my previous directions again, please. Then re enable them before you come online to post the report.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 19 January 2008 - 07:11 PM

Thanks for your help.... are we getting closer?

ComboFix 08-01-18.5 - saxxest 2008-01-19 15:53:20.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT -8:00]
Running from: C:\Documents and Settings\saxxest\Desktop\malware-virus\ComboFix.exe
Command switches used :: C:\Documents and Settings\saxxest\Desktop\malware-virus\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 16:00 . 2008-01-19 16:00 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-19 15:59 . 2008-01-19 15:59 <DIR> d-------- C:\Temp\tn3
2008-01-18 18:07 . 2008-01-18 18:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-18 18:05 . 2008-01-18 18:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 23:51 . 2008-01-17 23:51 106 --a------ C:\delete.bat
2008-01-17 23:31 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-17 23:31 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\Program Files\Sygate
2008-01-17 23:30 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-17 22:44 . 2008-01-17 22:44 <DIR> d-------- C:\Deckard
2008-01-17 22:35 . 2008-01-18 01:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SUPERAntiSpyware.com
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-16 19:22 . 2008-01-16 19:22 0 --a------ C:\WINDOWS\pestpatrol5.INI
2008-01-15 21:39 . 2008-01-15 21:40 <DIR> d-------- C:\hjt
2008-01-15 21:32 . 2008-01-15 21:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 19:10 . 2008-01-18 18:25 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-11 19:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-11 19:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 19:11 . 2008-01-18 17:18 512 --a------ C:\WINDOWS\randseed.rnd
2008-01-10 00:04 . 2008-01-19 12:25 5,144,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 00:04 . 2008-01-19 12:25 222,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-10 00:04 . 2008-01-19 12:25 69,980 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 00:04 . 2008-01-19 12:25 21,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-10 00:02 . 2008-01-10 00:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-10 00:02 . 2008-01-19 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-10 00:01 . 2008-01-10 00:01 <DIR> d-------- C:\KAV
2008-01-09 22:24 . 2008-01-10 19:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-09 20:46 . 2008-01-09 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 20:45 . 2008-01-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 23:45 . 2008-01-08 23:53 <DIR> d-------- C:\Documents and Settings\saxxest\.housecall6.6
2008-01-08 23:45 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 23:34 . 2008-01-07 23:34 2,335,270 --a------ C:\WINDOWS\system32\54d2D.mht
2008-01-07 23:34 . 2008-01-07 23:34 128,352 --a------ C:\WINDOWS\system32\c562E.dll
2008-01-07 23:34 . 2008-01-07 23:34 54,624 --a------ C:\WINDOWS\system32\c562E.sys
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 01:55 . 2008-01-07 01:55 2,335,270 --a------ C:\WINDOWS\system32\7a053.mht
2008-01-07 01:55 . 2008-01-07 01:55 128,352 --a------ C:\WINDOWS\system32\f0654.dll
2008-01-07 01:55 . 2008-01-07 01:55 54,624 --a------ C:\WINDOWS\system32\f0654.sys
2008-01-07 01:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 01:17 . 2008-01-10 03:14 <DIR> d-------- C:\VundoFix Backups
2008-01-07 00:36 . 2008-01-19 16:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 00:31 . 2008-01-07 00:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-06 22:36 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-06 22:35 . 2008-01-06 22:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-06 22:32 . 2008-01-06 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 22:17 . 2008-01-06 22:17 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-06 21:57 . 2004-08-04 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-06 21:55 . 2004-08-04 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-06 21:54 . 2004-08-04 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-06 21:53 . 2004-08-04 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-06 21:52 . 2004-08-04 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-06 21:51 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-06 19:20 . 2008-01-17 23:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-06 19:17 . 2008-01-19 16:01 2,422 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-06 16:05 . 2008-01-07 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\winz7
2008-01-06 16:01 . 2008-01-10 03:38 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 16:01 . 2008-01-08 22:37 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 16:01 . 2008-01-10 22:26 <DIR> d--hs---- C:\WINDOWS\bXJuYw
2008-01-06 16:01 . 2008-01-06 16:01 86,016 --a------ C:\WINDOWS\system32\drivers\usb80233.sys
2008-01-06 16:01 . 54,764 C:\WINDOWS\system32\mp32s.sys
2008-01-06 16:00 . 2008-01-10 03:35 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2008-01-06 16:00 . 2008-01-19 15:59 <DIR> d-------- C:\Temp
2007-12-29 19:37 . 2007-12-30 17:41 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\BitTorrent
2007-12-29 19:36 . 2007-12-29 19:36 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\MySpace
2007-12-29 19:35 . 2007-12-29 19:35 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\Intel
2007-12-26 23:34 . 2008-01-06 16:00 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\BitTorrent
2007-12-26 23:28 . 2008-01-07 02:22 <DIR> d-------- C:\Program Files\DNA
2007-12-26 23:28 . 2008-01-06 15:58 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\DNA
2007-12-23 21:43 . 2007-12-23 21:43 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SlySoft
2007-12-23 19:45 . 2007-12-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 19:37 . 2007-12-23 19:38 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 19:37 . 2008-01-10 00:06 0 ---hs---- C:\WINDOWS\SB2F16C1D.tmp
2007-12-22 14:52 . 2007-12-22 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Disney
2007-12-22 14:45 . 2007-12-22 14:45 <DIR> d-------- C:\Program Files\Disney
2007-12-22 14:45 . 2008-01-08 23:18 <DIR> d-------- C:\Program Files\DIGStream
2007-12-22 14:45 . 2008-01-07 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 01:40 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-01-19 01:37 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-18 09:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-01-14 07:10 --------- d-----w C:\Documents and Settings\saxxest\Application Data\dvdcss
2008-01-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 03:12 --------- d-----w C:\Program Files\Google
2008-01-10 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 04:46 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Lavasoft
2008-01-09 07:45 --------- d-----w C:\Program Files\Java
2008-01-09 07:19 --------- d-----w C:\Program Files\Plaxo
2008-01-09 07:18 --------- d-----w C:\Program Files\QuickTime Alternative
2008-01-09 07:18 --------- d-----w C:\Program Files\iTunes
2008-01-09 07:18 --------- d-----w C:\Program Files\Apoint
2008-01-05 07:12 --------- d-----w C:\Program Files\MxMonitor
2007-12-30 09:39 --------- d-----w C:\Program Files\pinochle
2007-12-28 06:06 --------- d-----w C:\Program Files\Native Instruments
2007-12-28 05:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-24 20:05 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Vidalia
2007-12-22 07:00 --------- d-----w C:\Program Files\audiograbber
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-12 05:56 --------- d-----w C:\Program Files\Vidalia Bundle
2007-12-11 02:32 --------- d-----w C:\Program Files\Citrix
2007-12-06 02:25 --------- d-----w C:\Program Files\Magic Folders
2007-12-04 06:35 --------- d-----w C:\Documents and Settings\saxxest\Application Data\JAM Software
2007-11-22 05:02 720,896 ----a-w C:\WINDOWS\iun6002.exe
.
<pre>
----a-w		   313,472 2008-01-08 05:40:27  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			50,760 2008-01-08 05:40:20  C:\Program Files\Common Files\AOL\Launch\AOLLaunch .exe
----a-w		 2,229,248 2008-01-08 07:08:03  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-07 08:50:35  C:\Program Files\MySpace\IM\MySpaceIM .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-18_19.09.33.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 23:53:15 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 02:54:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 23:53:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 23:53:16 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 02:54:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 23:53:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 02:54:34 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 23:53:16 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 02:54:34 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 23:53:17 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-08 22:25 843776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-08 22:25 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-08 22:24 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-08 22:25 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-08 22:25 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2008-01-07 21:39 286720]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 00:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 04:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 22:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdj30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=3 (0x3)
"McAfeeFramework"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Norton Ghost"=2 (0x2)
"GEARSecurity"=2 (0x2)

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13]
R1 usb80233;usb80233;C:\WINDOWS\system32\drivers\usb80233.sys [2008-01-06 16:01]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2001-11-25 19:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 17711;17711;C:\WINDOWS\system32\17711.sys [2007-12-04 21:14]
S3 c562E;c562E;C:\WINDOWS\system32\c562E.sys [2008-01-07 23:34]
S3 DCALEXICO;DCALEXICO;C:\WINDOWS\system32\drivers\DCalexico.sys []
S3 f0654;f0654;C:\WINDOWS\system32\f0654.sys [2008-01-07 01:55]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2005-09-27 02:57]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 06:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 01:10:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 16:01:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys 50892 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
.
Completion time: 2008-01-19 16:06:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 00:06:22
ComboFix2.txt 2008-01-19 20:32:47
ComboFix3.txt 2008-01-19 07:48:01
ComboFix4.txt 2008-01-19 03:09:50
ComboFix5.txt 2008-01-09 16:18:52
-----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:25 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\Documents and Settings\saxxest\Desktop\malware-virus\ShowMe.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200107173078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200107404156
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {D28CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6562 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 19 January 2008 - 08:02 PM

Hello,

I failed to add a feature into the script, so let's try one more time, and I apologize for the wasted time and posts here. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\usb80233.sys
C:\Temp\tn3

Driver::
usb80233


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 20 January 2008 - 01:34 AM

Hey, This is looking a lot better, yeah?

-----------------------------------------------------------------

ComboFix 08-01-18.5 - saxxest 2008-01-19 22:19:56.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -8:00]
Running from: C:\Documents and Settings\saxxest\Desktop\malware-virus\ComboFix.exe
Command switches used :: C:\Documents and Settings\saxxest\Desktop\malware-virus\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\usb80233.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\usb80233.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_USB80233
-------\usb80233


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-18 18:07 . 2008-01-18 18:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-18 18:05 . 2008-01-18 18:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 23:51 . 2008-01-17 23:51 106 --a------ C:\delete.bat
2008-01-17 23:31 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-17 23:31 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\Program Files\Sygate
2008-01-17 23:30 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-17 22:44 . 2008-01-17 22:44 <DIR> d-------- C:\Deckard
2008-01-17 22:35 . 2008-01-18 01:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SUPERAntiSpyware.com
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-16 19:22 . 2008-01-16 19:22 0 --a------ C:\WINDOWS\pestpatrol5.INI
2008-01-15 21:39 . 2008-01-15 21:40 <DIR> d-------- C:\hjt
2008-01-15 21:32 . 2008-01-15 21:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 19:10 . 2008-01-18 18:25 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-11 19:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-11 19:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 19:11 . 2008-01-18 17:18 512 --a------ C:\WINDOWS\randseed.rnd
2008-01-10 00:04 . 2008-01-19 12:25 5,144,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 00:04 . 2008-01-19 12:25 222,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-10 00:04 . 2008-01-19 12:25 69,980 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 00:04 . 2008-01-19 12:25 21,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-10 00:02 . 2008-01-10 00:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-10 00:02 . 2008-01-19 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-10 00:01 . 2008-01-10 00:01 <DIR> d-------- C:\KAV
2008-01-09 22:24 . 2008-01-10 19:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-09 20:46 . 2008-01-09 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 20:45 . 2008-01-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 23:45 . 2008-01-08 23:53 <DIR> d-------- C:\Documents and Settings\saxxest\.housecall6.6
2008-01-08 23:45 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 23:34 . 2008-01-07 23:34 2,335,270 --a------ C:\WINDOWS\system32\54d2D.mht
2008-01-07 23:34 . 2008-01-07 23:34 128,352 --a------ C:\WINDOWS\system32\c562E.dll
2008-01-07 23:34 . 2008-01-07 23:34 54,624 --a------ C:\WINDOWS\system32\c562E.sys
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 01:55 . 2008-01-07 01:55 2,335,270 --a------ C:\WINDOWS\system32\7a053.mht
2008-01-07 01:55 . 2008-01-07 01:55 128,352 --a------ C:\WINDOWS\system32\f0654.dll
2008-01-07 01:55 . 2008-01-07 01:55 54,624 --a------ C:\WINDOWS\system32\f0654.sys
2008-01-07 01:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 01:17 . 2008-01-10 03:14 <DIR> d-------- C:\VundoFix Backups
2008-01-07 00:36 . 2008-01-19 22:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 00:31 . 2008-01-07 00:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-06 22:36 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-06 22:35 . 2008-01-06 22:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-06 22:32 . 2008-01-06 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 22:17 . 2008-01-06 22:17 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-06 21:57 . 2004-08-04 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-06 21:55 . 2004-08-04 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-06 21:54 . 2004-08-04 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-06 21:53 . 2004-08-04 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-06 21:52 . 2004-08-04 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-06 21:51 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-06 19:20 . 2008-01-17 23:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-06 19:17 . 2008-01-19 22:24 2,422 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-06 16:05 . 2008-01-07 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\winz7
2008-01-06 16:01 . 2008-01-10 03:38 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 16:01 . 2008-01-08 22:37 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 16:01 . 2008-01-10 22:26 <DIR> d--hs---- C:\WINDOWS\bXJuYw
2008-01-06 16:01 . 54,764 C:\WINDOWS\system32\mp32s.sys
2008-01-06 16:00 . 2008-01-10 03:35 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2008-01-06 16:00 . 2008-01-19 22:21 <DIR> d-------- C:\Temp
2007-12-29 19:37 . 2007-12-30 17:41 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\BitTorrent
2007-12-29 19:36 . 2007-12-29 19:36 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\MySpace
2007-12-29 19:35 . 2007-12-29 19:35 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\Intel
2007-12-26 23:34 . 2008-01-06 16:00 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\BitTorrent
2007-12-26 23:28 . 2008-01-07 02:22 <DIR> d-------- C:\Program Files\DNA
2007-12-26 23:28 . 2008-01-06 15:58 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\DNA
2007-12-23 21:43 . 2007-12-23 21:43 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SlySoft
2007-12-23 19:45 . 2007-12-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 19:37 . 2007-12-23 19:38 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 19:37 . 2008-01-10 00:06 0 ---hs---- C:\WINDOWS\SB2F16C1D.tmp
2007-12-22 14:52 . 2007-12-22 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Disney
2007-12-22 14:45 . 2007-12-22 14:45 <DIR> d-------- C:\Program Files\Disney
2007-12-22 14:45 . 2008-01-08 23:18 <DIR> d-------- C:\Program Files\DIGStream
2007-12-22 14:45 . 2008-01-07 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 01:40 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-01-19 01:37 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-18 09:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-01-14 07:10 --------- d-----w C:\Documents and Settings\saxxest\Application Data\dvdcss
2008-01-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 03:12 --------- d-----w C:\Program Files\Google
2008-01-10 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 04:46 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Lavasoft
2008-01-09 07:45 --------- d-----w C:\Program Files\Java
2008-01-09 07:19 --------- d-----w C:\Program Files\Plaxo
2008-01-09 07:18 --------- d-----w C:\Program Files\QuickTime Alternative
2008-01-09 07:18 --------- d-----w C:\Program Files\iTunes
2008-01-09 07:18 --------- d-----w C:\Program Files\Apoint
2008-01-05 07:12 --------- d-----w C:\Program Files\MxMonitor
2007-12-30 09:39 --------- d-----w C:\Program Files\pinochle
2007-12-28 06:06 --------- d-----w C:\Program Files\Native Instruments
2007-12-28 05:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-24 20:05 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Vidalia
2007-12-22 07:00 --------- d-----w C:\Program Files\audiograbber
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-12 05:56 --------- d-----w C:\Program Files\Vidalia Bundle
2007-12-11 02:32 --------- d-----w C:\Program Files\Citrix
2007-12-06 02:25 --------- d-----w C:\Program Files\Magic Folders
2007-12-04 06:35 --------- d-----w C:\Documents and Settings\saxxest\Application Data\JAM Software
2007-11-22 05:02 720,896 ----a-w C:\WINDOWS\iun6002.exe
.
<pre>
----a-w		   313,472 2008-01-08 05:40:27  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			50,760 2008-01-08 05:40:20  C:\Program Files\Common Files\AOL\Launch\AOLLaunch .exe
----a-w		 2,229,248 2008-01-08 07:08:03  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-07 08:50:35  C:\Program Files\MySpace\IM\MySpaceIM .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-18_19.09.33.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 06:19:28 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 02:54:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 06:19:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 06:19:28 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 02:54:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 06:19:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 02:54:34 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 06:19:28 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 02:54:34 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 06:19:29 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-08 22:25 843776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-08 22:25 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-08 22:24 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-08 22:25 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-08 22:25 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2008-01-07 21:39 286720]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 00:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 04:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 22:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdj30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=3 (0x3)
"McAfeeFramework"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Norton Ghost"=2 (0x2)
"GEARSecurity"=2 (0x2)

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2001-11-25 19:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 17711;17711;C:\WINDOWS\system32\17711.sys [2007-12-04 21:14]
S3 c562E;c562E;C:\WINDOWS\system32\c562E.sys [2008-01-07 23:34]
S3 DCALEXICO;DCALEXICO;C:\WINDOWS\system32\drivers\DCalexico.sys []
S3 f0654;f0654;C:\WINDOWS\system32\f0654.sys [2008-01-07 01:55]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2005-09-27 02:57]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 06:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 01:10:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 22:24:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys 50892 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
.
Completion time: 2008-01-19 22:29:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 06:29:29
ComboFix2.txt 2008-01-20 00:06:26
ComboFix3.txt 2008-01-19 20:32:47
ComboFix4.txt 2008-01-19 07:48:01
ComboFix5.txt 2008-01-19 03:09:50

-----------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:40 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\saxxest\Desktop\malware-virus\ShowMe.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200107173078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200107404156
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {D28CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6596 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 20 January 2008 - 10:11 AM

Hello,

Yes it does. :thumbsup: How is it running?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 20 January 2008 - 04:22 PM

Kind of strange... A brand new superfindout.dll was created after ComboFix removed it... I thought!? But I just checked again now and it's gone..?? Besides that, no popups as of yet and nothing trying to connect to that www.in-t-e-r-n-e-t.com URL. Guess I'm cautiously optimistic :thumbsup:

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 20 January 2008 - 04:38 PM

Hello,

We're certainly getting there. :thumbsup:


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
----a-w 313,472 2008-01-08 05:40:27 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 50,760 2008-01-08 05:40:20 C:\Program Files\Common Files\AOL\Launch\AOLLaunch .exe
----a-w 2,229,248 2008-01-08 07:08:03 C:\Program Files\Messenger\msmsgs .exe
----a-w 8,720,384 2008-01-07 08:50:35 C:\Program Files\MySpace\IM\MySpaceIM .exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 21 January 2008 - 06:02 PM

Tea---

Thanks for all your help.. I will PayPal tip just so long as I know I'm not getting my keys logged!

Yes, definitely getting better.. I notice from my firewall software something trying to info-out to Uniontrade.biz which is a McColo Corp. site..

These ABC[space].exe fakes are a bit alarming..

Here are the logs after this last ComboFix run:

-----------------------

ComboFix 08-01-18.5 - saxxest 2008-01-21 14:28:27.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.695 [GMT -8:00]
Running from: C:\Documents and Settings\saxxest\Desktop\malware-virus\ComboFix.exe
Command switches used :: C:\Documents and Settings\saxxest\Desktop\malware-virus\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-18 18:07 . 2008-01-18 18:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-18 18:05 . 2008-01-18 18:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 23:51 . 2008-01-17 23:51 106 --a------ C:\delete.bat
2008-01-17 23:31 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-17 23:31 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-17 23:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\Program Files\Sygate
2008-01-17 23:30 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-17 22:44 . 2008-01-17 22:44 <DIR> d-------- C:\Deckard
2008-01-17 22:35 . 2008-01-18 01:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SUPERAntiSpyware.com
2008-01-17 22:35 . 2008-01-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-16 19:22 . 2008-01-16 19:22 0 --a------ C:\WINDOWS\pestpatrol5.INI
2008-01-15 21:39 . 2008-01-15 21:40 <DIR> d-------- C:\hjt
2008-01-15 21:32 . 2008-01-15 21:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 19:10 . 2008-01-18 18:25 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-11 19:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-11 19:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-11 19:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 19:11 . 2008-01-18 17:18 512 --a------ C:\WINDOWS\randseed.rnd
2008-01-10 00:04 . 2008-01-19 12:25 5,144,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 00:04 . 2008-01-19 12:25 222,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-10 00:04 . 2008-01-19 12:25 69,980 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 00:04 . 2008-01-19 12:25 21,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-10 00:01 . 2008-01-10 00:01 <DIR> d-------- C:\KAV
2008-01-09 22:24 . 2008-01-10 19:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-09 20:46 . 2008-01-09 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 20:45 . 2008-01-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 23:45 . 2008-01-08 23:53 <DIR> d-------- C:\Documents and Settings\saxxest\.housecall6.6
2008-01-08 23:45 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 23:34 . 2008-01-07 23:34 2,335,270 --a------ C:\WINDOWS\system32\54d2D.mht
2008-01-07 23:34 . 2008-01-07 23:34 128,352 --a------ C:\WINDOWS\system32\c562E.dll
2008-01-07 23:34 . 2008-01-07 23:34 54,624 --a------ C:\WINDOWS\system32\c562E.sys
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 01:55 . 2008-01-07 01:55 2,335,270 --a------ C:\WINDOWS\system32\7a053.mht
2008-01-07 01:55 . 2008-01-07 01:55 128,352 --a------ C:\WINDOWS\system32\f0654.dll
2008-01-07 01:55 . 2008-01-07 01:55 54,624 --a------ C:\WINDOWS\system32\f0654.sys
2008-01-07 01:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 01:17 . 2008-01-10 03:14 <DIR> d-------- C:\VundoFix Backups
2008-01-07 00:36 . 2008-01-21 13:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 00:31 . 2008-01-07 00:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-06 22:36 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-06 22:35 . 2008-01-06 22:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-06 22:32 . 2008-01-06 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 22:17 . 2008-01-06 22:17 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-06 21:57 . 2004-08-04 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-06 21:55 . 2004-08-04 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-06 21:54 . 2004-08-04 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-06 21:53 . 2004-08-04 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-06 21:52 . 2004-08-04 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-06 21:51 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-06 21:44 . 2008-01-06 21:44 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-06 19:20 . 2008-01-17 23:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-06 19:17 . 2008-01-21 13:36 2,422 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-06 16:05 . 2008-01-07 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\winz7
2008-01-06 16:01 . 2008-01-10 03:38 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 16:01 . 2008-01-08 22:37 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 16:01 . 2008-01-06 16:01 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 16:01 . 54,764 C:\WINDOWS\system32\mp32s.sys
2008-01-06 16:00 . 2008-01-10 03:35 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2008-01-06 16:00 . 2008-01-20 08:42 <DIR> d-------- C:\Temp
2007-12-29 19:37 . 2007-12-30 17:41 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\BitTorrent
2007-12-29 19:36 . 2007-12-29 19:36 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\MySpace
2007-12-29 19:35 . 2007-12-29 19:35 <DIR> d-------- C:\Documents and Settings\b0b0\Application Data\Intel
2007-12-26 23:34 . 2008-01-06 16:00 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\BitTorrent
2007-12-26 23:28 . 2008-01-07 02:22 <DIR> d-------- C:\Program Files\DNA
2007-12-26 23:28 . 2008-01-06 15:58 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\DNA
2007-12-23 21:43 . 2007-12-23 21:43 <DIR> d-------- C:\Documents and Settings\saxxest\Application Data\SlySoft
2007-12-23 19:45 . 2007-12-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 19:37 . 2007-12-23 19:38 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 19:37 . 2008-01-10 00:06 0 ---hs---- C:\WINDOWS\SB2F16C1D.tmp
2007-12-22 14:52 . 2007-12-22 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Disney
2007-12-22 14:45 . 2007-12-22 14:45 <DIR> d-------- C:\Program Files\Disney
2007-12-22 14:45 . 2008-01-20 08:41 <DIR> d-------- C:\Program Files\DIGStream
2007-12-22 14:45 . 2008-01-21 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DIGStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 04:47 --------- d-----w C:\Program Files\DVD PixPlay
2008-01-20 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-19 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 01:40 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-01-19 01:37 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-18 09:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-01-14 07:10 --------- d-----w C:\Documents and Settings\saxxest\Application Data\dvdcss
2008-01-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 03:12 --------- d-----w C:\Program Files\Google
2008-01-10 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 04:46 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Lavasoft
2008-01-09 07:45 --------- d-----w C:\Program Files\Java
2008-01-09 07:19 --------- d-----w C:\Program Files\Plaxo
2008-01-09 07:18 --------- d-----w C:\Program Files\QuickTime Alternative
2008-01-09 07:18 --------- d-----w C:\Program Files\iTunes
2008-01-09 07:18 --------- d-----w C:\Program Files\Apoint
2008-01-05 07:12 --------- d-----w C:\Program Files\MxMonitor
2007-12-30 09:39 --------- d-----w C:\Program Files\pinochle
2007-12-28 06:06 --------- d-----w C:\Program Files\Native Instruments
2007-12-24 20:05 --------- d-----w C:\Documents and Settings\saxxest\Application Data\Vidalia
2007-12-22 07:00 --------- d-----w C:\Program Files\audiograbber
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-12 05:56 --------- d-----w C:\Program Files\Vidalia Bundle
2007-12-11 02:32 --------- d-----w C:\Program Files\Citrix
2007-12-06 02:25 --------- d-----w C:\Program Files\Magic Folders
2007-12-05 05:14 54,624 ----a-w C:\WINDOWS\system32\17711.sys
2007-12-04 06:35 --------- d-----w C:\Documents and Settings\saxxest\Application Data\JAM Software
2007-11-22 05:02 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot_2008-01-18_19.09.33.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 22:28:07 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 02:54:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 22:28:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 02:54:33 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 22:28:07 1,105,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 02:54:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 22:28:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 02:54:34 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-21 22:28:08 9,793,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 02:54:34 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 22:28:08 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]
C:\Program Files\Helper\superfindout.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-08 22:25 843776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-08 22:25 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-08 22:24 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-08 22:25 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-08 22:25 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2008-01-07 21:39 286720]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"PlayhouseDisneyDownloadManager"="c:\progra~1\digstr~1\playho~1.exe" [2008-01-07 21:39 284272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-07 00:50 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 00:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 04:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 22:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdj30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=3 (0x3)
"McAfeeFramework"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Norton Ghost"=2 (0x2)
"GEARSecurity"=2 (0x2)

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2001-11-25 19:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 17711;17711;C:\WINDOWS\system32\17711.sys [2007-12-04 21:14]
S3 c562E;c562E;C:\WINDOWS\system32\c562E.sys [2008-01-07 23:34]
S3 DCALEXICO;DCALEXICO;C:\WINDOWS\system32\drivers\DCalexico.sys []
S3 f0654;f0654;C:\WINDOWS\system32\f0654.sys [2008-01-07 01:55]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2005-09-27 02:57]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 06:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 01:10:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 14:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys 50892 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
.
Completion time: 2008-01-21 14:35:43
ComboFix-quarantined-files.txt 2008-01-21 22:35:28
ComboFix2.txt 2008-01-20 06:29:33
ComboFix3.txt 2008-01-20 00:06:26
ComboFix4.txt 2008-01-19 20:32:47
ComboFix5.txt 2008-01-19 07:48:01

---------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:02 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\progra~1\digstr~1\playho~1.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\saxxest\Desktop\malware-virus\ShowMe.exe

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\superfindout.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [PlayhouseDisneyDownloadManager] c:\progra~1\digstr~1\playho~1.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...b?1200107173078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...b?1200107404156
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {D28CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6690 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:01 AM

Posted 21 January 2008 - 07:16 PM

Hello,

These ABC[space].exe fakes are a bit alarming..

Those should be gone now. :thumbsup:

Thanks for all your help.. I will PayPal tip just so long as I know I'm not getting my keys logged!

You're most welcome, and you're not. :blink:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\superfindout.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PlayhouseDisneyDownloadManager] c:\progra~1\digstr~1\playho~1.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 ibinjacked

ibinjacked
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 21 January 2008 - 10:27 PM

0k...
Did the HJT scan and removal as per your recommendation. It looks alright..?
BitDefender was not scanning online because of an activeX loading error so I downloaded the Free Edition. DL'ed the updates and ran the scan. It found stuff in a quarantined folder and then a program I've had for ages (bshooter.exe). McAfee never recognized that one..?

//-----------------------------------------------------------------
//
// Product BitDefender Free Edition v10
// Product 10.2
//
// Created on: 21/01/2008 17:53:01
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 15153
Files : 236453
Memory processes scanned : 43
Archives : 4144
Runtime packers : 11222
Identified viruses : 3
Infected files : 4
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 1
Moved files : 3
I/O errors : 28
Scan time : 01:25:10
Scan speed (files/sec) : 46

Spyware Statistics

Registry keys scanned : 367
Registry keys infected : 0
Cookies scanned : 132
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 976223
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 7
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1200966781.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\Program Files\BSHOOTER.com\BubbleSD\bshooter.exe Infected: Trojan.Agent.ARN
C:\Program Files\BSHOOTER.com\BubbleSD\bshooter.exe Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\ciod.dll.vir Infected: Trojan.Spy.Bzub.NGP
C:\QooBox\Quarantine\C\WINDOWS\system32\ciod.dll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\ciod.dll.vir Moved
C:\QooBox\Quarantine\C\WINDOWS\system32\qtstv.ini.vir Infected: Trojan.Vundo.DVS
C:\QooBox\Quarantine\C\WINDOWS\system32\qtstv.ini.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\qtstv.ini.vir Moved
C:\QooBox\Quarantine\C\WINDOWS\system32\qtstv.ini2.vir Infected: Trojan.Vundo.DVS
C:\QooBox\Quarantine\C\WINDOWS\system32\qtstv.ini2.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\qtstv.ini2.vir Moved




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users