Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo Again


  • Please log in to reply
13 replies to this topic

#1 sland

sland

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 26 January 2008 - 12:39 PM

Sorry I have had this same problem before and had you guys help me, and I thought I had gotten rid of it, but I was still having weird things happen, like my windows firewall would ask about blocking my msn and yahoo messengers etc

Then the other day my anti virus program (Antivir PE Classic) updated and found vundo again. It was like 122 files infected with Vundo and something called Dropper.

I tried to go through many of the steps I did before but Im still having problems.

I kept the hijack this still (although its still renamed abc.bat) and here is the logfile from that:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:52 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhh.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {073B270A-C1EA-4A60-ADD1-3FBF164EAD0C} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6608 bytes

I apologize, I thought I took enough steps to keep this from happening again! But thanks for any help.

BC AdBot (Login to Remove)

 


#2 SpySentinel

SpySentinel

  • Members
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:05:22 PM

Posted 27 January 2008 - 04:30 PM

Hello and Welcome to Bleeping Computer.

My name is SpySentinel and I will be assisting you with your malware problem today.

You may wish to Subscribe to this thread (Options --> Track this topic) so that you are notified when you receive a reply.

Please give me some time to analyze your log, and I will post back with instructions ASAP.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 SpySentinel

SpySentinel

  • Members
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:05:22 PM

Posted 29 January 2008 - 04:01 PM

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:


F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhh.exe
O2 - BHO: (no name) - {073B270A-C1EA-4A60-ADD1-3FBF164EAD0C} - C:\WINDOWS\system32\jkhhh.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

4. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


5. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Viewpoint

6. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\jkhhh.dll


7. Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang. Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#4 sland

sland
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 30 January 2008 - 09:38 AM

Thanks Spysentinal!

Ok I did all the steps, here is the combofix log:

ComboFix 08-01-30.1 - Sharky 2008-01-30 8:17:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.268 [GMT -6:00]
Running from: C:\Documents and Settings\Sharky\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 11:44 . 2008-01-26 11:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-26 11:06 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-26 11:06 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-26 11:06 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-26 11:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-26 07:23 . 2008-01-26 10:03 <DIR> d-------- C:\VundoFix Backups
2008-01-25 13:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 13:15 . 2008-01-25 13:16 <DIR> d-------- C:\Program Files\Java
2008-01-16 10:33 . 2008-01-23 09:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 10:33 . 2008-01-16 10:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-05 12:11 . 2008-01-25 11:50 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-05 11:13 . 2008-01-05 11:13 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\acccore
2008-01-05 11:12 . 2008-01-05 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-05 11:11 . 2008-01-25 10:16 <DIR> d-------- C:\Program Files\AIM6
2008-01-04 11:08 . 2008-01-04 11:08 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\Apple Computer
2008-01-04 11:03 . 2008-01-04 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-04 11:02 . 2008-01-04 11:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-04 11:02 . 2008-01-04 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-02 09:06 . 2008-01-02 09:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-01 12:38 . 2008-01-01 14:38 <DIR> d-------- C:\wmdownloads
2007-12-28 07:46 . 2007-12-28 07:46 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-27 08:50 . 2008-01-25 13:17 <DIR> d-------- C:\Documents and Settings\Sharky\.housecall6.6
2007-12-26 13:49 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-26 13:33 . 2007-12-26 13:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-26 13:33 . 2007-12-26 13:33 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-26 07:47 . 2007-12-26 07:47 <DIR> d-------- C:\Program Files\Avira
2007-12-26 07:47 . 2007-12-26 07:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-25 12:27 . 2007-12-28 11:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-25 12:27 . 2007-12-25 12:27 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\SUPERAntiSpyware.com
2007-12-25 12:27 . 2007-12-25 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-25 11:48 . 2007-12-25 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-25 10:56 . 2007-12-25 10:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-25 07:42 . 2007-12-28 11:03 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-24 16:24 . 2007-12-24 16:24 <DIR> d-------- C:\Program Files\Sygate
2007-12-24 16:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-24 16:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-24 16:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-24 14:22 . 2008-01-27 10:57 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-24 12:30 . 2007-12-24 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-24 11:33 . 2008-01-27 08:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-24 11:32 . 2008-01-17 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 07:23 . 2007-12-24 13:35 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-23 07:48 . 2007-12-23 07:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-22 10:21 . 2007-12-25 07:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 09:50 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-22 09:15 . 2007-12-23 09:41 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 09:10 . 2007-12-23 07:13 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-22 09:10 . 2007-12-23 07:13 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-22 09:10 . 2007-12-24 13:21 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2007-12-22 09:10 . 2007-12-23 07:13 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-26 18:37 --------- d-----w C:\Program Files\MSN Messenger
2008-01-25 16:24 --------- d-----w C:\Program Files\QuickTime
2008-01-19 14:29 --------- d-----w C:\Program Files\Winamp
2008-01-05 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-05 17:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-02 15:22 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-02 15:16 --------- d-----w C:\Program Files\Google
2008-01-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 15:12 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Aim
2007-12-28 17:01 --------- d-----w C:\Program Files\Kazaa
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Yahoo!
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 17:26 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Lavasoft
2007-12-21 15:24 --------- d-----w C:\Program Files\DivX
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
<pre>
----a-w			50,528 2008-01-18 18:10:53  C:\Program Files\AIM6\aim6 .exe
----a-w		   249,896 2007-12-26 15:56:14  C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w		 1,896,448 2007-12-24 19:21:31  C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
----a-w		   192,512 2007-12-24 19:21:26  C:\Program Files\BellSouth\HelpCenter\bin\sprtcmd .exe
----a-w		   110,592 2007-12-24 19:21:06  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			57,344 2007-12-24 19:20:53  C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol .exe
----a-w			68,856 2008-01-02 15:03:06  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   221,184 2007-12-24 19:20:53  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		 5,674,352 2008-01-26 13:45:48  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w			98,304 2007-12-24 19:21:09  C:\Program Files\QuickTime\qttask					.exe
----a-w		   286,720 2008-01-05 15:46:29  C:\Program Files\QuickTime\QTTask   .exe
----a-w		 1,318,912 2007-12-26 15:56:18  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		 2,577,632 2008-01-18 16:40:25  C:\Program Files\Sygate\SPF\smc .exe
----a-w		 4,670,704 2008-01-18 16:43:19  C:\Program Files\Yahoo!\Messenger\YahooMessenger			  .exe
----a-w		 4,670,704 2008-01-23 13:00:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger	  .exe
----a-w		 4,670,704 2008-01-25 12:45:22  C:\Program Files\Yahoo!\Messenger\YahooMessenger	.exe
----a-w		 4,670,704 2008-01-10 13:04:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1		 .EXE
----a-w			90,112 2007-12-24 19:21:04  C:\WINDOWS\UpdReg .EXE
----a-w			15,360 2007-12-23 15:41:51  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2007-12-23 13:13:08  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2007-12-23 13:13:08  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2007-12-23 13:13:04  C:\WINDOWS\system32\igfxtray .exe
----a-w		   127,035 2007-12-23 13:12:57  C:\WINDOWS\system32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\system32\narrator.exe]

S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 11:51]
S3 ZMUSBFLT;ZOOM USAT1 Filter Driver;C:\WINDOWS\system32\DRIVERS\ZMUSBFLT.SYS [2001-11-28 09:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 18:44:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 08:22:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-01-30 8:25:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 14:25:34
.
2008-01-09 18:38:13 --- E O F ---


And here is a new hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:53 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6186 bytes

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:22 PM

Posted 01 February 2008 - 07:49 PM

Hello sland
sorry for the delay

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
----a-w 50,528 2008-01-18 18:10:53 C:\Program Files\AIM6\aim6 .exe
----a-w 249,896 2007-12-26 15:56:14 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 1,896,448 2007-12-24 19:21:31 C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
----a-w 192,512 2007-12-24 19:21:26 C:\Program Files\BellSouth\HelpCenter\bin\sprtcmd .exe
----a-w 110,592 2007-12-24 19:21:06 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 57,344 2007-12-24 19:20:53 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol .exe
----a-w 68,856 2008-01-02 15:03:06 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 221,184 2007-12-24 19:20:53 C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w 5,674,352 2008-01-26 13:45:48 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 98,304 2007-12-24 19:21:09 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-05 15:46:29 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,318,912 2007-12-26 15:56:18 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w 2,577,632 2008-01-18 16:40:25 C:\Program Files\Sygate\SPF\smc .exe
----a-w 4,670,704 2008-01-18 16:43:19 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-23 13:00:58 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-25 12:45:22 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-10 13:04:05 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 90,112 2007-12-24 19:21:04 C:\WINDOWS\UpdReg .EXE
----a-w 15,360 2007-12-23 15:41:51 C:\WINDOWS\system32\ctfmon .exe
----a-w 77,824 2007-12-23 13:13:08 C:\WINDOWS\system32\hkcmd .exe
----a-w 114,688 2007-12-23 13:13:08 C:\WINDOWS\system32\igfxpers .exe
----a-w 94,208 2007-12-23 13:13:04 C:\WINDOWS\system32\igfxtray .exe
----a-w 127,035 2007-12-23 13:12:57 C:\WINDOWS\system32\dla\tfswctrl .exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


#6 sland

sland
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 02 February 2008 - 09:29 AM

Thanks don77

I followed the steps, here is the combofix log:

=ComboFix 08-01-30.1 - Sharky 2008-02-02 8:11:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -6:00]
Running from: C:\Documents and Settings\Sharky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sharky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 12:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-01 12:16 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-01 12:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 11:44 . 2008-01-26 11:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-26 11:06 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-26 11:06 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-26 11:06 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-26 11:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-26 07:23 . 2008-01-26 10:03 <DIR> d-------- C:\VundoFix Backups
2008-01-25 13:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 13:15 . 2008-01-25 13:16 <DIR> d-------- C:\Program Files\Java
2008-01-05 12:11 . 2008-01-25 11:50 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-05 11:13 . 2008-01-05 11:13 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\acccore
2008-01-05 11:12 . 2008-01-05 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-05 11:11 . 2008-02-02 08:11 <DIR> d-------- C:\Program Files\AIM6
2008-01-04 11:08 . 2008-01-04 11:08 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\Apple Computer
2008-01-04 11:03 . 2008-01-04 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-04 11:02 . 2008-01-04 11:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-04 11:02 . 2008-01-04 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-02 09:06 . 2008-01-02 09:06 2 --a------ C:\WINDOWS\msoffice.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 14:15 --------- d-----w C:\Program Files\MSN Messenger
2008-02-02 14:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-01 16:36 --------- d-----w C:\Program Files\n-Track Studio
2008-01-29 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-27 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 16:24 --------- d-----w C:\Program Files\QuickTime
2008-01-19 14:29 --------- d-----w C:\Program Files\Winamp
2008-01-17 17:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-05 17:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-02 15:22 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-02 15:16 --------- d-----w C:\Program Files\Google
2008-01-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 15:12 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Aim
2007-12-28 17:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 17:01 --------- d-----w C:\Program Files\Kazaa
2007-12-26 13:47 --------- d-----w C:\Program Files\Avira
2007-12-26 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\Sharky\Application Data\SUPERAntiSpyware.com
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-25 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-25 16:56 --------- d-----w C:\Program Files\Trend Micro
2007-12-25 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 22:24 --------- d-----w C:\Program Files\Sygate
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Yahoo!
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 19:35 --------- d-----w C:\Program Files\XoftSpySE
2007-12-24 19:21 90,112 ----a-w C:\WINDOWS\UpdReg.EXE
2007-12-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 17:33 --------- d-----w C:\Program Files\Lavasoft
2007-12-24 17:26 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Lavasoft
2007-12-23 13:50 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-12-21 15:24 --------- d-----w C:\Program Files\DivX
.
<pre>
----a-w			98,304 2007-12-24 19:21:09  C:\Program Files\QuickTime\qttask					.exe
----a-w		   286,720 2008-01-05 15:46:29  C:\Program Files\QuickTime\QTTask   .exe
----a-w		 4,670,704 2008-01-18 16:43:19  C:\Program Files\Yahoo!\Messenger\YahooMessenger			  .exe
----a-w		 4,670,704 2008-01-23 13:00:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger	  .exe
----a-w		 4,670,704 2008-01-25 12:45:22  C:\Program Files\Yahoo!\Messenger\YahooMessenger	.exe
----a-w		 4,670,704 2008-01-10 13:04:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1		 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-26 07:45 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2008-01-18 10:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\system32\narrator.exe]

S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 11:51]
S3 ZMUSBFLT;ZOOM USAT1 Filter Driver;C:\WINDOWS\system32\DRIVERS\ZMUSBFLT.SYS [2001-11-28 09:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 18:44:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 08:16:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-02 8:20:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 14:20:12
ComboFix2.txt 2008-01-30 14:25:43
.
2008-01-09 18:38:13 --- E O F ---



And here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:18 AM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6239 bytes

#7 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:22 PM

Posted 02 February 2008 - 06:52 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
----a-w 98,304 2007-12-24 19:21:09 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-05 15:46:29 C:\Program Files\QuickTime\QTTask .exe
----a-w 4,670,704 2008-01-18 16:43:19 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-23 13:00:58 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-25 12:45:22 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-10 13:04:05 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt


#8 sland

sland
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 03 February 2008 - 09:49 AM

here is the log:

ComboFix 08-01-30.1 - Sharky 2008-02-03 8:42:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.262 [GMT -6:00]
Running from: C:\Documents and Settings\Sharky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sharky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-01 12:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-01 12:16 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-01 12:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 11:44 . 2008-01-26 11:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-26 11:06 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-26 11:06 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-26 11:06 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-26 11:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-26 07:23 . 2008-01-26 10:03 <DIR> d-------- C:\VundoFix Backups
2008-01-25 13:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 13:15 . 2008-01-25 13:16 <DIR> d-------- C:\Program Files\Java
2008-01-05 12:11 . 2008-01-25 11:50 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-05 11:13 . 2008-01-05 11:13 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\acccore
2008-01-05 11:12 . 2008-01-05 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-05 11:11 . 2008-02-02 08:11 <DIR> d-------- C:\Program Files\AIM6
2008-01-04 11:08 . 2008-01-04 11:08 <DIR> d-------- C:\Documents and Settings\Sharky\Application Data\Apple Computer
2008-01-04 11:03 . 2008-01-04 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-04 11:02 . 2008-01-04 11:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-04 11:02 . 2008-01-04 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 14:15 --------- d-----w C:\Program Files\MSN Messenger
2008-02-02 14:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-01 16:36 --------- d-----w C:\Program Files\n-Track Studio
2008-01-29 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-27 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 14:29 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-25 16:24 --------- d-----w C:\Program Files\QuickTime
2008-01-19 14:29 --------- d-----w C:\Program Files\Winamp
2008-01-17 17:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-05 17:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-02 15:22 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-02 15:16 --------- d-----w C:\Program Files\Google
2008-01-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 15:12 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Aim
2007-12-28 17:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 17:01 --------- d-----w C:\Program Files\Kazaa
2007-12-26 13:47 --------- d-----w C:\Program Files\Avira
2007-12-26 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\Sharky\Application Data\SUPERAntiSpyware.com
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-25 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-25 16:56 --------- d-----w C:\Program Files\Trend Micro
2007-12-25 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 22:24 --------- d-----w C:\Program Files\Sygate
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Yahoo!
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 19:35 --------- d-----w C:\Program Files\XoftSpySE
2007-12-24 19:21 90,112 ----a-w C:\WINDOWS\UpdReg.EXE
2007-12-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 17:33 --------- d-----w C:\Program Files\Lavasoft
2007-12-24 17:26 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Lavasoft
2007-12-23 15:41 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-23 15:41 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-23 13:50 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-12-23 13:13 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-23 13:13 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-23 13:13 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-21 15:24 --------- d-----w C:\Program Files\DivX
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
.
<pre>
----a-w			98,304 2007-12-24 19:21:09  C:\Program Files\QuickTime\qttask					.exe
----a-w		   286,720 2008-01-05 15:46:29  C:\Program Files\QuickTime\QTTask   .exe
----a-w		 4,670,704 2008-01-18 16:43:19  C:\Program Files\Yahoo!\Messenger\YahooMessenger			  .exe
----a-w		 4,670,704 2008-01-23 13:00:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger	  .exe
----a-w		 4,670,704 2008-01-25 12:45:22  C:\Program Files\Yahoo!\Messenger\YahooMessenger	.exe
----a-w		 4,670,704 2008-01-10 13:04:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1		 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-26 07:45 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-23 09:41 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2008-01-18 10:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\system32\narrator.exe]

S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 11:51]
S3 ZMUSBFLT;ZOOM USAT1 Filter Driver;C:\WINDOWS\system32\DRIVERS\ZMUSBFLT.SYS [2001-11-28 09:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 18:44:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 08:45:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 8:46:11
ComboFix-quarantined-files.txt 2008-02-03 14:45:43
ComboFix2.txt 2008-02-02 14:20:21
ComboFix3.txt 2008-01-30 14:25:43
.
2008-01-09 18:38:13 --- E O F ---

#9 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:22 PM

Posted 06 February 2008 - 09:12 AM

Sorry for the delay would you please rescan with combofix and post the fresh log for me please

#10 sland

sland
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 06 February 2008 - 01:54 PM

No worries

I just ran combofix again, here is the log that popped up:

ComboFix 08-01-30.1 - Sharky 2008-02-06 12:46:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.240 [GMT -6:00]
Running from: C:\Documents and Settings\Sharky\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 08:04 . 2008-02-06 08:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 08:04 . 2008-02-06 08:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-01 12:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-01 12:16 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-01 12:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 11:44 . 2008-01-26 11:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-26 11:06 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-26 11:06 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-26 11:06 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-26 11:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-26 07:23 . 2008-01-26 10:03 <DIR> d-------- C:\VundoFix Backups
2008-01-25 13:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 13:15 . 2008-01-25 13:16 <DIR> d-------- C:\Program Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 14:15 --------- d-----w C:\Program Files\MSN Messenger
2008-02-02 14:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-02 14:11 --------- d-----w C:\Program Files\AIM6
2008-02-01 16:36 --------- d-----w C:\Program Files\n-Track Studio
2008-01-29 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-27 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 14:29 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-25 17:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-25 16:24 --------- d-----w C:\Program Files\QuickTime
2008-01-19 14:29 --------- d-----w C:\Program Files\Winamp
2008-01-17 17:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 17:13 --------- d-----w C:\Documents and Settings\Sharky\Application Data\acccore
2008-01-05 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-05 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-05 17:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-04 17:08 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Apple Computer
2008-01-04 17:03 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-04 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-02 15:22 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-02 15:16 --------- d-----w C:\Program Files\Google
2008-01-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 15:12 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Aim
2007-12-28 17:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 17:01 --------- d-----w C:\Program Files\Kazaa
2007-12-26 13:47 --------- d-----w C:\Program Files\Avira
2007-12-26 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\Sharky\Application Data\SUPERAntiSpyware.com
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-25 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-25 16:56 --------- d-----w C:\Program Files\Trend Micro
2007-12-25 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 22:24 --------- d-----w C:\Program Files\Sygate
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Yahoo!
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 19:35 --------- d-----w C:\Program Files\XoftSpySE
2007-12-24 19:21 90,112 ----a-w C:\WINDOWS\UpdReg.EXE
2007-12-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 17:33 --------- d-----w C:\Program Files\Lavasoft
2007-12-24 17:26 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Lavasoft
2007-12-23 15:41 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-23 15:41 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-23 13:50 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-12-23 13:13 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-23 13:13 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-23 13:13 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-21 15:24 --------- d-----w C:\Program Files\DivX
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
.
<pre>
----a-w			98,304 2007-12-24 19:21:09  C:\Program Files\QuickTime\qttask					.exe
----a-w		   286,720 2008-01-05 15:46:29  C:\Program Files\QuickTime\QTTask   .exe
----a-w		 4,670,704 2008-01-18 16:43:19  C:\Program Files\Yahoo!\Messenger\YahooMessenger			  .exe
----a-w		 4,670,704 2008-01-23 13:00:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger	  .exe
----a-w		 4,670,704 2008-01-25 12:45:22  C:\Program Files\Yahoo!\Messenger\YahooMessenger	.exe
----a-w		 4,670,704 2008-01-10 13:04:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1		 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-26 07:45 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-23 09:41 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2008-01-18 10:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\system32\narrator.exe]

S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 11:51]
S3 ZMUSBFLT;ZOOM USAT1 Filter Driver;C:\WINDOWS\system32\DRIVERS\ZMUSBFLT.SYS [2001-11-28 09:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 18:44:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 12:49:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 12:50:14
ComboFix-quarantined-files.txt 2008-02-06 18:49:47
ComboFix2.txt 2008-02-03 14:46:11
ComboFix3.txt 2008-02-02 14:20:21
ComboFix4.txt 2008-01-30 14:25:43
.
2008-01-09 18:38:13 --- E O F ---

#11 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:22 PM

Posted 06 February 2008 - 08:30 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File;;
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for

RenV::
----a-w 98,304 2007-12-24 19:21:09 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-05 15:46:29 C:\Program Files\QuickTime\QTTask .exe
----a-w 4,670,704 2008-01-18 16:43:19 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-23 13:00:58 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-25 12:45:22 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-10 13:04:05 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


#12 sland

sland
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 07 February 2008 - 09:18 AM

Here is the combofix log that popped up:

ComboFix 08-01-30.1 - Sharky 2008-02-07 8:09:50.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.265 [GMT -6:00]
Running from: C:\Documents and Settings\Sharky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sharky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-06 08:04 . 2008-02-06 08:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 08:04 . 2008-02-06 08:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-01 12:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-01 12:16 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-01 12:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-01 09:30 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-01 09:30 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 11:44 . 2008-01-26 11:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-26 11:06 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-26 11:06 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-26 11:06 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-26 11:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-26 07:23 . 2008-01-26 10:03 <DIR> d-------- C:\VundoFix Backups
2008-01-25 13:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 13:15 . 2008-01-25 13:16 <DIR> d-------- C:\Program Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 14:15 --------- d-----w C:\Program Files\MSN Messenger
2008-02-02 14:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-02 14:11 --------- d-----w C:\Program Files\AIM6
2008-02-01 16:36 --------- d-----w C:\Program Files\n-Track Studio
2008-01-29 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-27 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 14:29 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-25 17:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-25 16:24 --------- d-----w C:\Program Files\QuickTime
2008-01-19 14:29 --------- d-----w C:\Program Files\Winamp
2008-01-17 17:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 17:13 --------- d-----w C:\Documents and Settings\Sharky\Application Data\acccore
2008-01-05 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-05 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-05 17:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-04 17:08 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Apple Computer
2008-01-04 17:03 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-04 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-02 15:22 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-02 15:16 --------- d-----w C:\Program Files\Google
2008-01-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 15:12 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Aim
2007-12-28 17:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 17:01 --------- d-----w C:\Program Files\Kazaa
2007-12-26 13:47 --------- d-----w C:\Program Files\Avira
2007-12-26 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\Sharky\Application Data\SUPERAntiSpyware.com
2007-12-25 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-25 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-25 16:56 --------- d-----w C:\Program Files\Trend Micro
2007-12-25 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 22:24 --------- d-----w C:\Program Files\Sygate
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Yahoo!
2007-12-24 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 19:35 --------- d-----w C:\Program Files\XoftSpySE
2007-12-24 19:21 90,112 ----a-w C:\WINDOWS\UpdReg.EXE
2007-12-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 17:33 --------- d-----w C:\Program Files\Lavasoft
2007-12-24 17:26 --------- d-----w C:\Documents and Settings\Sharky\Application Data\Lavasoft
2007-12-23 15:41 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-23 15:41 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-23 13:50 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-12-23 13:13 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-23 13:13 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-23 13:13 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-21 15:24 --------- d-----w C:\Program Files\DivX
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
.
<pre>
----a-w			98,304 2007-12-24 19:21:09  C:\Program Files\QuickTime\qttask					.exe
----a-w		   286,720 2008-01-05 15:46:29  C:\Program Files\QuickTime\QTTask   .exe
----a-w		 4,670,704 2008-01-18 16:43:19  C:\Program Files\Yahoo!\Messenger\YahooMessenger			  .exe
----a-w		 4,670,704 2008-01-23 13:00:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger	  .exe
----a-w		 4,670,704 2008-01-25 12:45:22  C:\Program Files\Yahoo!\Messenger\YahooMessenger	.exe
----a-w		 4,670,704 2008-01-10 13:04:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1		 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-26 07:45 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-23 09:41 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2008-01-18 10:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\system32\narrator.exe]

S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 11:51]
S3 ZMUSBFLT;ZOOM USAT1 Filter Driver;C:\WINDOWS\system32\DRIVERS\ZMUSBFLT.SYS [2001-11-28 09:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 18:44:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 08:12:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 8:13:28
ComboFix-quarantined-files.txt 2008-02-07 14:12:51
ComboFix2.txt 2008-02-06 18:50:15
ComboFix3.txt 2008-02-03 14:46:11
ComboFix4.txt 2008-02-02 14:20:21
ComboFix5.txt 2008-01-30 14:25:43
.
2008-01-09 18:38:13 --- E O F ---




Here is the hijack this log:






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:11 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6190 bytes

#13 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:22 PM

Posted 08 February 2008 - 11:54 PM

Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#14 sland

sland
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 09 February 2008 - 12:04 PM

Ok I did the scan here is the log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 09, 2008 11:02:35 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/02/2008
Kaspersky Anti-Virus database records: 555870
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 60141
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:00:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sharky\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\History\History.IE5\MSHist012008020920080210\index.dat Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Temp\~DFCFBB.tmp Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Temp\~DFD071.tmp Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Sharky\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sharky\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sharky\ntuser.dat.LOG Object is locked skipped
C:\mysql\data\DGRRFB71.err Object is locked skipped
C:\mysql\data\ibdata1 Object is locked skipped
C:\mysql\data\ib_logfile0 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP58\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{92C4DD73-835E-4AA3-AE00-67886A7438AD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ib2 Object is locked skipped
C:\WINDOWS\Temp\ib3 Object is locked skipped
C:\WINDOWS\Temp\ib4 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users