Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo Pop Up Nightmare


  • This topic is locked This topic is locked
6 replies to this topic

#1 McMomOf4

McMomOf4

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 25 January 2008 - 10:16 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:04 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ACAEB3B1B5B1B2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\SYSTEM32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\?ystem32\w?auclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SSEMBL~1\dexplore.exe
C:\WINDOWS\system32\SSEMBL~1\dexplore.exe
C:\WINDOWS\system32\SSEMBL~1\dexplore.exe
C:\WINDOWS\system32\SSEMBL~1\dexplore.exe
C:\WINDOWS\system32\SSEMBL~1\dexplore.exe
C:\WINDOWS\system32\SSEMBL~1\dexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [5D5F646266626367] ACAEB3B1B5B1B2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINDOWS\SYSTEM32\SonyIEx.exe
O24 - Desktop Component 0: (no name) - http://x.myspace.com/images/icons/refreshicon2.jpg

--
End of file - 4092 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 26 January 2008 - 09:14 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 McMomOf4

McMomOf4
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 27 January 2008 - 12:27 PM

ComboFix 08-01-23.1C - bobby mcreynolds 2008-01-27 10:57:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.328 [GMT -6:00]
Running from: C:\Documents and Settings\bobby mcreynolds\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\fioq
C:\Program Files\Common Files\fioq\fioqa.exe
C:\Program Files\Common Files\fioq\fioqa.lck
C:\Program Files\Common Files\fioq\fioqd\class-barrel
C:\Program Files\Common Files\fioq\fioqd\fioqc.dll
C:\Program Files\Common Files\fioq\fioqd\vocabulary
C:\Program Files\Common Files\fioq\fioqh
C:\Program Files\Common Files\fioq\fioql.exe
C:\Program Files\Common Files\fioq\fioql.lck
C:\Program Files\Common Files\fioq\fioqm .exe
C:\Program Files\Common Files\fioq\fioqm.exe
C:\Program Files\Common Files\fioq\fioqm.lck
C:\Program Files\Common Files\fioq\fioqp.exe
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\fioq
C:\WINDOWS\fioq\fioq.dat
C:\WINDOWS\fioq\wu
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\ioxcvort.dll
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\jkklm.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mlkkj.ini
C:\WINDOWS\SYSTEM32\mlkkj.ini2
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4E.tmp
C:\WINDOWS\system32\RCX69.tmp
C:\WINDOWS\system32\rqrponl.dll
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\ssembl~1\?ssembly\
C:\WINDOWS\system32\ssembl~1\dexplore .exe
C:\WINDOWS\system32\ssembl~1\dexplore.exe
C:\WINDOWS\system32\ssqpnkl.dll
C:\WINDOWS\system32\ssqpqon.dll
C:\WINDOWS\system32\yaywttu.dll
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\system32\ystem3~1\w?auclt.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 10:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 20:34 . 2008-01-25 20:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 18:19 . 2008-01-25 19:16 <DIR> d-------- C:\Program Files\RegCure
2008-01-25 18:07 . 2008-01-25 18:54 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-25 15:32 . 2008-01-25 18:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-23 06:30 . 2008-01-23 06:30 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-22 21:20 . 2008-01-22 21:20 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-01-22 19:24 . 2008-01-22 19:24 <DIR> d-------- C:\Program Files\Omron Healthcare
2008-01-22 08:25 . 2008-01-22 08:25 36,864 --a------ C:\WINDOWS\17PHolmes572.exe.tmp
2008-01-21 05:10 . 2008-01-21 05:10 4,286 --a------ C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
2008-01-20 20:05 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2008-01-20 19:53 . 2008-01-20 19:53 <DIR> d-------- C:\Program Files\Activision Value
2008-01-20 17:53 . 2008-01-20 17:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\EEF0F5F3F7F3F4
2008-01-20 17:53 . 2007-12-14 06:40 120,832 --a------ C:\WINDOWS\SYSTEM32\ACAEB3B1B5B1B2.exe
2008-01-20 13:28 . 2008-01-20 13:28 <DIR> d--hs---- C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw
2008-01-19 14:27 . 2008-01-25 17:32 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2008-01-19 12:58 . 2008-01-25 17:35 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-19 12:55 . 2008-01-25 16:43 376,320 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-19 12:54 . 2008-01-19 12:54 38,400 --a------ C:\WINDOWS\SYSTEM32\mljhfdb.dll.vir
2008-01-03 22:33 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-01-03 22:33 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2008-01-03 22:31 . 2008-01-03 22:32 <DIR> d-------- C:\Program Files\XviD
2008-01-03 22:27 . 2008-01-03 22:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\Iosubsys
2008-01-03 22:27 . 2005-09-23 13:50 21,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Aldebaran.sys
2008-01-03 22:27 . 2005-09-23 13:50 16,855 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Achernar.sys
2008-01-03 22:26 . 2008-01-03 22:31 <DIR> d-------- C:\Program Files\NewSoft
2008-01-03 22:26 . 2008-01-03 22:31 <DIR> d-------- C:\Program Files\Common Files\NewSoft
2008-01-03 22:26 . 2001-11-12 10:44 122,880 --a------ C:\WINDOWS\SYSTEM32\Nsvideo.dll
2008-01-03 22:25 . 2008-01-03 22:25 <DIR> d-------- C:\Program Files\Common Files\Digi338
2008-01-03 22:25 . 2003-01-21 15:45 114,688 --a------ C:\WINDOWS\SYSTEM32\JpegCode.dll
2008-01-03 22:25 . 2004-01-22 12:41 46,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CoachUsb.sys
2008-01-03 22:25 . 2003-11-03 17:31 44,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CoachVc.sys
2008-01-03 22:25 . 2004-02-03 15:09 41,984 --a------ C:\WINDOWS\SYSTEM32\CoachWia.dll
2008-01-03 22:25 . 2003-08-25 16:12 32,768 -ra------ C:\WINDOWS\SYSTEM32\infcpy.dll
2008-01-03 22:25 . 2003-11-04 17:54 16,896 --a------ C:\WINDOWS\SYSTEM32\CoachDlg.dll
2008-01-03 22:25 . 2004-01-06 13:10 8,192 --a------ C:\WINDOWS\SYSTEM32\CoachWrp.dll
2008-01-03 22:25 . 2003-05-08 16:58 5,632 --a------ C:\WINDOWS\SYSTEM32\CoachSti.dll
2008-01-03 22:25 . 2003-03-26 22:06 2,560 --a------ C:\WINDOWS\SYSTEM32\CoachTW.dll
2007-12-29 23:07 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\SYSTEM32\ltkrn13n.dll
2007-12-29 23:07 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\SYSTEM32\ltimg13n.dll
2007-12-29 23:07 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\SYSTEM32\lfcmp13n.dll
2007-12-29 23:07 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\SYSTEM32\ltdis13n.dll
2007-12-29 23:07 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\SYSTEM32\ltefx13n.dll
2007-12-29 23:07 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\SYSTEM32\ltfil13n.dll
2007-12-29 23:07 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\SYSTEM32\lfgif13n.dll
2007-12-29 23:07 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\SYSTEM32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 19:32 --------- d-----w C:\Program Files\iWin.com Games
2008-01-26 19:25 --------- d-----w C:\Program Files\Big Kahuna Reef
2008-01-26 00:45 --------- d-----w C:\Program Files\PeoplePC
2008-01-25 23:35 431,104 ----a-w C:\WINDOWS\UpdReg.EXE
2008-01-25 23:35 --------- d-----w C:\Program Files\QuickTime
2008-01-25 23:35 --------- d-----w C:\Program Files\iTunes
2008-01-23 01:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-13 15:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 02:06 2,152 ----a-w C:\Program Files\02D11C01.key
2007-12-25 18:56 --------- d-----w C:\Program Files\Audible
2007-12-25 14:52 --------- d-----w C:\Program Files\Creative
2007-12-25 14:47 --------- d--h--w C:\Program Files\Creative Installation Information
2007-12-25 14:42 --------- d-----w C:\Program Files\Common Files\Creative
2007-11-28 19:48 15,735 ----a-w C:\Program Files\release_notes_sos_6.0cf2_en.htm
2007-11-19 21:04 2,950,276 ------w C:\Program Files\klcfginst.exe
2007-11-19 21:03 33,872 ------w C:\Program Files\setup.exe
2007-11-19 21:03 23,021,056 ------w C:\Program Files\kav6sos.en.msi
2007-11-19 21:02 6,114 ------w C:\Program Files\kav6.kpd
2007-11-19 20:29 54 ------w C:\Program Files\Installer.ini
2005-08-02 22:46 187,904 --sha-r C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\asappsrv.dll
2005-08-02 22:58 293,888 --sha-r C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\command.exe
2005-07-29 22:24 472 --sha-r C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\sA62sB40vqhVtr5RvZU4wT.vbs
.
<pre>
----a-w		   339,968 2008-01-25 23:32:38  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   323,584 2008-01-25 23:32:45  C:\Program Files\Common Files\Dell\EUSW\Support .exe
----a-w		   110,592 2008-01-25 23:32:42  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			45,056 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
----a-w			57,344 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
----a-w			57,344 2008-01-25 23:32:41  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			86,016 2008-01-25 23:32:42  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w			61,440 2008-01-25 23:32:54  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w			49,152 2008-01-25 23:32:47  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-01-25 23:32:47  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   135,168 2008-01-25 23:32:38  C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe
----a-w		   221,184 2008-01-25 23:32:38  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   229,952 2008-01-25 23:32:46  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			32,881 2008-01-25 23:32:35  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-25 23:32:54  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-27 06:41:11  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w			98,304 2008-01-25 23:32:49  C:\Program Files\NewSoft\Smart Start UP\PnPDetect .exe
----a-w			26,208 2008-01-25 23:32:45  C:\Program Files\PeoplePC\ISP6500\Bin\PPCOLink .exe
----a-w		   652,288 2008-01-25 23:35:19  C:\Program Files\QuickTime\qttask   .exe
----a-w		   652,288 2008-01-25 22:43:27  C:\Program Files\QuickTime\qttask  .exe
----a-w		   652,288 2008-01-25 23:35:15  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-01-25 23:32:51  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		 1,103,752 2008-01-26 00:44:03  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w			90,112 2008-01-25 23:32:40  C:\WINDOWS\UpdReg .EXE
----a-w		   122,939 2008-01-25 23:32:43  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2004-03-11 09:50 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"5D5F646266626367"="ACAEB3B1B5B1B2.exe" [2007-12-14 06:40 120832 C:\WINDOWS\SYSTEM32\ACAEB3B1B5B1B2.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [2005-09-23 13:50]
R2 SonyIEx;SonyIEx;C:\WINDOWS\SYSTEM32\SonyIEx.exe [2005-05-30 09:48]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys [2005-09-23 13:50]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 14:21:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 08:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2008-01-27 17:08:33 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-27 09:08:32 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-27 10:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-01-27 17:08:33 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-27 11:35:10 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 11:09:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 11:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 17:15:40
.
2008-01-19 19:09:02 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 28 January 2008 - 10:05 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Renv:
----a-w		   339,968 2008-01-25 23:32:38  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   323,584 2008-01-25 23:32:45  C:\Program Files\Common Files\Dell\EUSW\Support .exe
----a-w		   110,592 2008-01-25 23:32:42  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			45,056 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
----a-w			57,344 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
----a-w			57,344 2008-01-25 23:32:41  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			86,016 2008-01-25 23:32:42  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w			61,440 2008-01-25 23:32:54  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w			49,152 2008-01-25 23:32:47  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-01-25 23:32:47  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   135,168 2008-01-25 23:32:38  C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe
----a-w		   221,184 2008-01-25 23:32:38  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   229,952 2008-01-25 23:32:46  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			32,881 2008-01-25 23:32:35  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-25 23:32:54  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-27 06:41:11  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w			98,304 2008-01-25 23:32:49  C:\Program Files\NewSoft\Smart Start UP\PnPDetect .exe
----a-w			26,208 2008-01-25 23:32:45  C:\Program Files\PeoplePC\ISP6500\Bin\PPCOLink .exe
----a-w		   652,288 2008-01-25 23:35:19  C:\Program Files\QuickTime\qttask   .exe
----a-w		   652,288 2008-01-25 22:43:27  C:\Program Files\QuickTime\qttask  .exe
----a-w		   652,288 2008-01-25 23:35:15  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-01-25 23:32:51  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		 1,103,752 2008-01-26 00:44:03  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w			90,112 2008-01-25 23:32:40  C:\WINDOWS\UpdReg .EXE
----a-w		   122,939 2008-01-25 23:32:43  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe

File::
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\mljhfdb.dll.vir
C:\WINDOWS\SYSTEM32\ACAEB3B1B5B1B2.exe
C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
C:\WINDOWS\17PHolmes572.exe.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5D5F646266626367"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by Buckeye_Sam, 28 January 2008 - 10:06 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 McMomOf4

McMomOf4
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 02 February 2008 - 05:56 PM

ComboFix 08-01-23.1C - bobby mcreynolds 2008-02-02 16:31:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.634 [GMT -6:00]
Running from: C:\Documents and Settings\bobby mcreynolds\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bobby mcreynolds\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\17PHolmes572.exe.tmp
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\ACAEB3B1B5B1B2.exe
C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
C:\WINDOWS\SYSTEM32\mljhfdb.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bobby mcreynolds\My Documents\FNTS~1
C:\Documents and Settings\bobby mcreynolds\My Documents\FNTS~1\F?nts\
C:\Documents and Settings\bobby mcreynolds\My Documents\FNTS~1\nslookup .exe
C:\Documents and Settings\bobby mcreynolds\My Documents\FNTS~1\nslookup.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\fnts~1
C:\Program Files\fnts~1\s?chost.exe
C:\Program Files\inetget2
C:\Program Files\Insider
C:\Program Files\Insider\Insider .exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\MSN Gaming Zone\hokero4444.dll
C:\Program Files\MSN Gaming Zone\hokero83122.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Temporary
C:\Program Files\Windows NT\lavulaxa.dll
C:\Program Files\Windows NT\lavulaxa554.dll
C:\Program Files\Windows NT\lavulaxa913.dll
C:\Program Files\Windows NT\profsyzyro.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\17PHolmes572.exe.tmp
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\SYSTEM32\ACAEB3B1B5B1B2.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\dxngbgfk.dll
C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
C:\WINDOWS\system32\fccayxu.dll
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\jkklm.exe
C:\WINDOWS\SYSTEM32\mljhfdb.dll.vir
C:\WINDOWS\SYSTEM32\mlkkj.ini
C:\WINDOWS\SYSTEM32\mlkkj.ini2
C:\WINDOWS\system32\mlnojjju.dll
C:\WINDOWS\system32\ohdvgggm.dll
C:\WINDOWS\system32\ohdvgggm.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plqaubro.dll
C:\WINDOWS\system32\RCX1.tmp
C:\WINDOWS\system32\ubfvxhtp.dll
C:\WINDOWS\system32\udoz.dll
C:\WINDOWS\SYSTEM32\ujjjonlm.ini
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\
C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\\asappsrv.dll
C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\\command.exe
C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\\sA62sB40vqhVtr5RvZU4wT.vbs
C:\WINDOWS\Ym9iYnkgbWNyZXlub2xkcw\command.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 16:43 . 2008-02-02 16:43 334,848 --------- C:\WINDOWS\SYSTEM32\jkklm.dll
2008-02-02 16:42 . 2008-02-02 16:42 <DIR> d-------- C:\Temp\tn3
2008-02-01 07:10 . 2008-02-02 16:43 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-01 07:08 . 2008-02-01 07:10 <DIR> d-------- C:\Program Files\RABCO
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\tip4
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\lis6
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\kps5
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\hs9
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\Temp\gTiis19
2008-02-01 07:06 . 2008-02-01 07:06 <DIR> d-------- C:\Temp\cXzz9
2008-02-01 07:06 . 2008-02-02 16:42 <DIR> d-------- C:\Temp
2008-02-01 07:06 . 2008-02-01 07:06 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr122.sys
2008-02-01 07:06 . 2008-02-02 16:42 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-31 17:35 . 2008-02-02 15:50 1,188,672 --ahs---- C:\WINDOWS\SYSTEM32\cmcwxlat.ini
2008-01-27 10:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 20:34 . 2008-01-25 20:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 18:19 . 2008-01-25 19:16 <DIR> d-------- C:\Program Files\RegCure
2008-01-25 18:07 . 2008-02-02 16:09 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-25 15:32 . 2008-01-25 18:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-23 06:30 . 2008-01-23 06:30 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-22 21:20 . 2008-01-22 21:20 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-01-22 19:24 . 2008-01-22 19:24 <DIR> d-------- C:\Program Files\Omron Healthcare
2008-01-20 20:05 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2008-01-20 19:53 . 2008-01-20 19:53 <DIR> d-------- C:\Program Files\Activision Value
2008-01-20 17:53 . 2008-01-20 17:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\EEF0F5F3F7F3F4
2008-01-19 14:27 . 2008-01-25 17:32 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2008-01-03 22:33 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-01-03 22:33 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2008-01-03 22:31 . 2008-01-03 22:32 <DIR> d-------- C:\Program Files\XviD
2008-01-03 22:27 . 2008-01-03 22:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\Iosubsys
2008-01-03 22:27 . 2005-09-23 13:50 21,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Aldebaran.sys
2008-01-03 22:27 . 2005-09-23 13:50 16,855 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Achernar.sys
2008-01-03 22:26 . 2008-01-03 22:31 <DIR> d-------- C:\Program Files\NewSoft
2008-01-03 22:26 . 2008-01-03 22:31 <DIR> d-------- C:\Program Files\Common Files\NewSoft
2008-01-03 22:26 . 2001-11-12 10:44 122,880 --a------ C:\WINDOWS\SYSTEM32\Nsvideo.dll
2008-01-03 22:25 . 2008-01-03 22:25 <DIR> d-------- C:\Program Files\Common Files\Digi338
2008-01-03 22:25 . 2003-01-21 15:45 114,688 --a------ C:\WINDOWS\SYSTEM32\JpegCode.dll
2008-01-03 22:25 . 2004-01-22 12:41 46,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CoachUsb.sys
2008-01-03 22:25 . 2003-11-03 17:31 44,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CoachVc.sys
2008-01-03 22:25 . 2004-02-03 15:09 41,984 --a------ C:\WINDOWS\SYSTEM32\CoachWia.dll
2008-01-03 22:25 . 2003-08-25 16:12 32,768 -ra------ C:\WINDOWS\SYSTEM32\infcpy.dll
2008-01-03 22:25 . 2003-11-04 17:54 16,896 --a------ C:\WINDOWS\SYSTEM32\CoachDlg.dll
2008-01-03 22:25 . 2004-01-06 13:10 8,192 --a------ C:\WINDOWS\SYSTEM32\CoachWrp.dll
2008-01-03 22:25 . 2003-05-08 16:58 5,632 --a------ C:\WINDOWS\SYSTEM32\CoachSti.dll
2008-01-03 22:25 . 2003-03-26 22:06 2,560 --a------ C:\WINDOWS\SYSTEM32\CoachTW.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 19:32 --------- d-----w C:\Program Files\iWin.com Games
2008-01-26 19:25 --------- d-----w C:\Program Files\Big Kahuna Reef
2008-01-26 00:45 --------- d-----w C:\Program Files\PeoplePC
2008-01-25 23:35 431,104 ----a-w C:\WINDOWS\UpdReg.EXE
2008-01-25 23:35 --------- d-----w C:\Program Files\QuickTime
2008-01-25 23:35 --------- d-----w C:\Program Files\iTunes
2008-01-23 01:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-13 15:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 02:06 2,152 ----a-w C:\Program Files\02D11C01.key
2007-12-25 18:56 --------- d-----w C:\Program Files\Audible
2007-12-25 14:52 --------- d-----w C:\Program Files\Creative
2007-12-25 14:47 --------- d--h--w C:\Program Files\Creative Installation Information
2007-12-25 14:42 --------- d-----w C:\Program Files\Common Files\Creative
2007-11-28 19:48 15,735 ----a-w C:\Program Files\release_notes_sos_6.0cf2_en.htm
2007-11-19 21:04 2,950,276 ------w C:\Program Files\klcfginst.exe
2007-11-19 21:03 33,872 ------w C:\Program Files\setup.exe
2007-11-19 21:03 23,021,056 ------w C:\Program Files\kav6sos.en.msi
2007-11-19 21:02 6,114 ------w C:\Program Files\kav6.kpd
2007-11-19 20:29 54 ------w C:\Program Files\Installer.ini
2007-11-14 07:26 450,560 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
.
<pre>
----a-w		   339,968 2008-01-25 23:32:38  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   323,584 2008-01-25 23:32:45  C:\Program Files\Common Files\Dell\EUSW\Support .exe
----a-w		   110,592 2008-01-25 23:32:42  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			45,056 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
----a-w			57,344 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
----a-w			57,344 2008-01-25 23:32:41  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			86,016 2008-01-25 23:32:42  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w			61,440 2008-02-02 22:43:01  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w			49,152 2008-01-25 23:32:47  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-01-25 23:32:47  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   135,168 2008-01-25 23:32:38  C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe
----a-w		   221,184 2008-01-25 23:32:38  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   229,952 2008-01-25 23:32:46  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			32,881 2008-01-25 23:32:35  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-25 23:32:54  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-02-02 19:51:00  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w			98,304 2008-01-25 23:32:49  C:\Program Files\NewSoft\Smart Start UP\PnPDetect .exe
----a-w			26,208 2008-01-25 23:32:45  C:\Program Files\PeoplePC\ISP6500\Bin\PPCOLink .exe
----a-w		   652,288 2008-01-25 23:35:19  C:\Program Files\QuickTime\qttask   .exe
----a-w		   652,288 2008-01-25 22:43:27  C:\Program Files\QuickTime\qttask  .exe
----a-w		   652,288 2008-01-25 23:35:15  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-01-25 23:32:51  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		 1,103,752 2008-01-26 00:44:03  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w			90,112 2008-01-25 23:32:40  C:\WINDOWS\UpdReg .EXE
----a-w		   122,939 2008-01-25 23:32:43  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
2008-01-30 14:02 414992 --a------ C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC7ED36E-2F9E-47CE-B888-C0B91DFF7D87}]
2008-02-02 16:43 334848 --------- C:\WINDOWS\system32\jkklm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"="C:\DOCUME~1\BOBBYM~1\MYDOCU~1\FNTS~1\nslookup.exe" [ ]
"Nfvlgc"="C:\Program Files\F?nts\s?chost.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-02-02 16:28 399872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2004-03-11 09:50 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]

C:\Documents and Settings\bobby mcreynolds\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-01 07:06:43 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkklm.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkklm

R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [2005-09-23 13:50]
R1 HPZipr122;HPZipr122;C:\WINDOWS\system32\drivers\HPZipr122.sys [2008-02-01 07:06]
R2 SonyIEx;SonyIEx;C:\WINDOWS\SYSTEM32\SonyIEx.exe [2005-05-30 09:48]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys [2005-09-23 13:50]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 14:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 08:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2008-02-02 22:42:51 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-01 09:06:18 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-01 10:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-02-02 22:42:51 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-01 09:00:06 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 16:43:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\jkklm.dll
.
Completion time: 2008-02-02 16:50:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 22:50:14
ComboFix2.txt 2008-01-27 17:15:44
.
2008-01-19 19:09:02 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 03 February 2008 - 10:07 AM

Please download this tool and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe


Copy the text below into notepad and save it to your desktop as Log.txt
----a-w		   339,968 2008-01-25 23:32:38  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   323,584 2008-01-25 23:32:45  C:\Program Files\Common Files\Dell\EUSW\Support .exe
----a-w		   110,592 2008-01-25 23:32:42  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			45,056 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
----a-w			57,344 2008-01-25 23:32:39  C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
----a-w			57,344 2008-01-25 23:32:41  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			86,016 2008-01-25 23:32:42  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w			61,440 2008-02-02 22:43:01  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w			49,152 2008-01-25 23:32:47  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-01-25 23:32:47  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   135,168 2008-01-25 23:32:38  C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe
----a-w		   221,184 2008-01-25 23:32:38  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   229,952 2008-01-25 23:32:46  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			32,881 2008-01-25 23:32:35  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-25 23:32:54  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-02-02 19:51:00  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w			98,304 2008-01-25 23:32:49  C:\Program Files\NewSoft\Smart Start UP\PnPDetect .exe
----a-w			26,208 2008-01-25 23:32:45  C:\Program Files\PeoplePC\ISP6500\Bin\PPCOLink .exe
----a-w		   652,288 2008-01-25 23:35:19  C:\Program Files\QuickTime\qttask   .exe
----a-w		   652,288 2008-01-25 22:43:27  C:\Program Files\QuickTime\qttask  .exe
----a-w		   652,288 2008-01-25 23:35:15  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-01-25 23:32:51  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		 1,103,752 2008-01-26 00:44:03  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w			90,112 2008-01-25 23:32:40  C:\WINDOWS\UpdReg .EXE
----a-w		   122,939 2008-01-25 23:32:43  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe

Drag Log.txt into RenV.exe
When finished, it shall produce a new log for you. Post that log in your next reply.

Immediately run Combofix.exe and post that log also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 22 February 2008 - 07:40 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users