Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ultimate Cleaner


  • This topic is locked This topic is locked
23 replies to this topic

#1 jd747747

jd747747

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 29 January 2008 - 10:51 AM

I am on XP Media Center Edition, Dell XPS 400 and cannot get rid of Ultimate Cleaner. I've performed the steps suggested in this forum to get rid of malware and am attaching my HJT log. Please help me:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:22 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csurams.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: SXG Advisor - {9C22FF6B-11B2-43B0-9F1A-8B0C209C1FAB} - C:\WINDOWS\dpvtportwf.dll (file missing)
O3 - Toolbar: The elfwgps - {A6074EA4-01C7-40A1-82C3-FC683866AB03} - C:\WINDOWS\elfwgps.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187903629968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187903428593
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acns.colostate.edu
O17 - HKLM\Software\..\Telephony: DomainName = acns.colostate.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{88BCC19C-E632-46AE-87C5-D7F33866B103}: NameServer = 129.82.103.78,129.82.103.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acns.colostate.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = acns.colostate.edu,colostate.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = acns.colostate.edu,colostate.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: bqxomdo - {2279F962-FD1A-4205-8A18-AA9AAEE8C973} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {5C0F6727-4306-4031-A0B6-9B500C75CB77} - C:\WINDOWS\aswmklt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 8241 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 30 January 2008 - 10:16 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 10:46 AM

Thanks for your quick response Sam, Here's the ComboFix log:

ComboFix 08-01-30.6 - Jeff Dotson 2008-01-30 8:38:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2521 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff Dotson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Jeff Dotson\g2mdlhlpx.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\media
C:\WINDOWS\system32\media\AvidRender.wav

----- BITS: Possible infected sites -----

hxxp://mail.colostate.edu
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 08:46 . 2008-01-29 08:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 14:21 . 2008-01-28 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 08:03 . 2008-01-28 08:04 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-01-26 14:05 . 2008-01-26 14:05 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 14:03 . 2008-01-26 14:04 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-25 10:09 . 2008-01-25 10:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-24 11:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-24 11:44 . 2008-01-24 11:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-24 11:44 . 2008-01-24 11:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 11:32 . 2008-01-28 07:45 2,514 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-24 09:12 . 2008-01-24 09:12 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-24 09:12 . 2008-01-24 09:12 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-24 09:12 . 2008-01-24 09:12 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-24 09:12 . 2008-01-24 09:12 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-24 08:17 . 2008-01-24 08:17 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-23 14:42 . 2008-01-23 14:42 <DIR> d-------- C:\Program Files\MediaEntertainmentCodec
2008-01-23 14:42 . 2008-01-23 13:29 245,760 --a------ C:\WINDOWS\aswmklt.dll
2008-01-23 14:42 . 2008-01-23 13:29 81,920 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-14 09:44 . 2008-01-14 09:44 563,712 --a------ C:\Documents and Settings\Jeff Dotson\gotomypc_370.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:37 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-30 14:49 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2008-01-28 18:19 --------- d-----w C:\Program Files\Cleaner 5 EZ
2008-01-24 16:12 --------- d-----w C:\Program Files\Symantec
2008-01-24 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-24 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 15:28 --------- d-----w C:\Program Files\DIGStream
2008-01-15 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 15:04 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-02 20:35 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-13 09:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 00:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 09:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 52,896 2006-07-20 01:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,840 2006-11-22 00:38:28 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 460,784 2007-03-15 17:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 61,440 2006-02-15 06:31:26 C:\Program Files\Digidesign\Drivers\bak\MMERefresh.exe

----a-w 49,152 2005-09-24 06:08:54 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 267,064 2007-09-07 22:55:08 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-03 01:36:42 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-07-12 10:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 31,016 2006-10-27 06:47:42 C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe

----a-w 286,720 2007-06-29 12:24:52 C:\Program Files\QuickTime\bak\bak\QTTask.exe
----a-w 286,720 2007-10-20 03:16:26 C:\Program Files\QuickTime\QTTask.exe

----a-w 286,720 2007-06-29 12:24:52 C:\Program Files\QuickTime\bak\bak\QTTask.exe

----a-w 125,168 2006-09-28 02:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,632 2007-03-15 02:49:02 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 15,360 2004-08-10 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C22FF6B-11B2-43B0-9F1A-8B0C209C1FAB}]
C:\WINDOWS\dpvtportwf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A6074EA4-01C7-40A1-82C3-FC683866AB03}

[HKEY_CLASSES_ROOT\clsid\{a6074ea4-01c7-40a1-82c3-fc683866ab03}]
[HKEY_CLASSES_ROOT\elfwgps.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{70E5B3D6-21AB-45C4-907E-10087E2C8213}]
[HKEY_CLASSES_ROOT\elfwgps.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-31 17:54 7561216]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]

C:\Documents and Settings\Jeff Dotson\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2007-08-27 15:58:31 2367488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"= {2279F962-FD1A-4205-8A18-AA9AAEE8C973} - C:\WINDOWS\bqxomdo.dll [ ]
"aswmklt"= {5C0F6727-4306-4031-A0B6-9B500C75CB77} - C:\WINDOWS\aswmklt.dll [2008-01-23 13:29 245760]

R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys [2006-08-09 20:12]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 22:10]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 22:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 02:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 08:43:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 8:43:45
ComboFix-quarantined-files.txt 2008-01-30 15:43:42
.
2008-01-09 15:38:34 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 30 January 2008 - 04:51 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Program Files\MediaEntertainmentCodec

File::
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\fvqkfsp.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C22FF6B-11B2-43B0-9F1A-8B0C209C1FAB}]
[-HKEY_CLASSES_ROOT\clsid\{a6074ea4-01c7-40a1-82c3-fc683866ab03}]
[-HKEY_CLASSES_ROOT\elfwgps.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{70E5B3D6-21AB-45C4-907E-10087E2C8213}]
[-HKEY_CLASSES_ROOT\elfwgps.ToolBar]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"=-
"aswmklt"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==================


You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

* Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 05:21 PM

Updated log:

ComboFix 08-01-30.6 - Jeff Dotson 2008-01-30 15:17:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2465 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff Dotson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Dotson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\fvqkfsp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\MediaEntertainmentCodec
C:\Program Files\MediaEntertainmentCodec\install.ico
C:\Program Files\MediaEntertainmentCodec\MediaEntertainmentCodec.ocx
C:\Program Files\MediaEntertainmentCodec\Uninstall.exe
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\fvqkfsp.exe

----- BITS: Possible infected sites -----

hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 08:46 . 2008-01-29 08:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 14:21 . 2008-01-28 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 08:03 . 2008-01-28 08:04 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-01-26 14:05 . 2008-01-26 14:05 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 14:03 . 2008-01-26 14:04 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-25 10:09 . 2008-01-25 10:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-24 11:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-24 11:44 . 2008-01-24 11:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-24 11:44 . 2008-01-24 11:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 11:32 . 2008-01-28 07:45 2,514 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-24 09:12 . 2008-01-24 09:12 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-24 09:12 . 2008-01-24 09:12 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-24 09:12 . 2008-01-24 09:12 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-24 09:12 . 2008-01-24 09:12 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-24 08:17 . 2008-01-24 08:17 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-14 09:44 . 2008-01-14 09:44 563,712 --a------ C:\Documents and Settings\Jeff Dotson\gotomypc_370.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:37 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-30 14:49 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2008-01-28 18:19 --------- d-----w C:\Program Files\Cleaner 5 EZ
2008-01-24 16:12 --------- d-----w C:\Program Files\Symantec
2008-01-24 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-24 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 15:28 --------- d-----w C:\Program Files\DIGStream
2008-01-15 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 15:04 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-02 20:35 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-13 09:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 00:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 09:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 52,896 2006-07-20 01:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,840 2006-11-22 00:38:28 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 460,784 2007-03-15 17:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 61,440 2006-02-15 06:31:26 C:\Program Files\Digidesign\Drivers\bak\MMERefresh.exe

----a-w 49,152 2005-09-24 06:08:54 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 267,064 2007-09-07 22:55:08 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-03 01:36:42 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-07-12 10:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 31,016 2006-10-27 06:47:42 C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe

----a-w 286,720 2007-06-29 12:24:52 C:\Program Files\QuickTime\bak\bak\QTTask.exe
----a-w 286,720 2007-10-20 03:16:26 C:\Program Files\QuickTime\QTTask.exe

----a-w 286,720 2007-06-29 12:24:52 C:\Program Files\QuickTime\bak\bak\QTTask.exe

----a-w 125,168 2006-09-28 02:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,632 2007-03-15 02:49:02 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 15,360 2004-08-10 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-31 17:54 7561216]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]

C:\Documents and Settings\Jeff Dotson\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2007-08-27 15:58:31 2367488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys [2006-08-09 20:12]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 22:10]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 22:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 02:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 15:18:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 15:18:38
ComboFix-quarantined-files.txt 2008-01-30 22:18:36
ComboFix2.txt 2008-01-30 15:43:45
.
2008-01-09 15:38:34 --- E O F ---

#6 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 05:27 PM

AWF log:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 01/30/2008
The current time is: 15:23:33.14


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/07/2007 03:55 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

09/27/2006 07:33 PM 125,168 VPTray.exe
1 File(s) 125,168 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 03:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

07/19/2006 06:26 PM 52,896 ccApp.exe
1 File(s) 52,896 bytes

Directory of C:\PROGRA~1\DIGIDE~1\DRIVERS\BAK

02/14/2006 11:31 PM 61,440 MMERefresh.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

09/23/2005 11:08 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MICROS~4\OFFICE12\BAK

10/26/2006 11:47 PM 31,016 GrooveMonitor.exe
1 File(s) 31,016 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 05:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe1191418726"
267064 Sep 7 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 28 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 7 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\QTTask.exe"
125632 Mar 14 2007 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
125168 Sep 27 2006 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
52840 Nov 21 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
52896 Jul 19 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
61440 Feb 14 2006 "C:\Program Files\Digidesign\Drivers\bak\MMERefresh.exe"
49152 Sep 23 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
65824 Oct 26 2006 "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
31016 Oct 26 2006 "C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\QTTask.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
32881 Mar 4 2005 "C:\Program Files\Avid\Avid Xpress Pro\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 30 January 2008 - 05:38 PM

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\DellSupport\bak\DSAgnt.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\bak\QTTask.exe
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
C:\WINDOWS\system32\bak\ctfmon.exe
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
C:\Program Files\Digidesign\Drivers\bak\MMERefresh.exe
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
C:\Program Files\QuickTime\bak\bak\QTTask.exe
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Edited by Buckeye_Sam, 30 January 2008 - 05:39 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 05:44 PM

Updated Log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 01/30/2008
The current time is: 15:42:02.18


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/07/2007 03:55 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

09/27/2006 07:33 PM 125,168 VPTray.exe
1 File(s) 125,168 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 03:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

07/19/2006 06:26 PM 52,896 ccApp.exe
1 File(s) 52,896 bytes

Directory of C:\PROGRA~1\DIGIDE~1\DRIVERS\BAK

02/14/2006 11:31 PM 61,440 MMERefresh.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

09/23/2005 11:08 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MICROS~4\OFFICE12\BAK

10/26/2006 11:47 PM 31,016 GrooveMonitor.exe
1 File(s) 31,016 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 05:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe1191418726"
267064 Sep 7 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 28 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 7 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\QTTask.exe"
125632 Mar 14 2007 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
125168 Sep 27 2006 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
52840 Nov 21 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
52896 Jul 19 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
61440 Feb 14 2006 "C:\Program Files\Digidesign\Drivers\bak\MMERefresh.exe"
49152 Sep 23 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Sep 23 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
65824 Oct 26 2006 "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
31016 Oct 26 2006 "C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\QTTask.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
32881 Mar 4 2005 "C:\Program Files\Avid\Avid Xpress Pro\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 30 January 2008 - 06:03 PM

Ok, let's do this manually.

Go to My Computer and browse to the following folder:
C:\Program Files\DellSupport\bak
Inside the BAK folder is a file named DSAgnt.exe
Right click it with your mouse and choose Cut
The go back to the main folder,C:\Program Files\DellSupport
Click the background with your mouse, choose Paste
Now you should have the DSAgnt.exe file in the C:\Program Files\DellSupport folder.
Now go ahead and delete the bak folder.


So all you are doing is putting the original file from the backup folder back where it should be in the original folder. Then you can delete the empty "bak" folder. If you're clear on that, then go ahead and perform those same steps with these files.

C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\bak\QTTask.exe
C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Digidesign\Drivers\bak\MMERefresh.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe
C:\Program Files\QuickTime\bak\bak\QTTask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe



================


Once you've got that all done, follow this next step.

Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install


================


Then lets get a new log and see how we did.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 06:25 PM

I try to install DelDomains but only a quick flash of the screen. Nothing happens after that.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 30 January 2008 - 06:31 PM

Yes, that's all it does. You won't get a report, but we'll verify it worked with your next log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 06:33 PM

Thanks, here's the updated log:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 01/30/2008
The current time is: 16:32:08.68


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 30 January 2008 - 06:39 PM

Good, well done!

Please post a new hijackthis log and a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 06:40 PM

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:47 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csurams.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9C22FF6B-11B2-43B0-9F1A-8B0C209C1FAB} - (no file)
O3 - Toolbar: (no name) - {A6074EA4-01C7-40A1-82C3-FC683866AB03} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187903629968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187903428593
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acns.colostate.edu
O17 - HKLM\Software\..\Telephony: DomainName = acns.colostate.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{88BCC19C-E632-46AE-87C5-D7F33866B103}: NameServer = 129.82.103.78,129.82.103.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acns.colostate.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = acns.colostate.edu,colostate.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = acns.colostate.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = acns.colostate.edu,colostate.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = acns.colostate.edu,colostate.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: bqxomdo - {2279F962-FD1A-4205-8A18-AA9AAEE8C973} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {5C0F6727-4306-4031-A0B6-9B500C75CB77} - C:\WINDOWS\aswmklt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8238 bytes

#15 jd747747

jd747747
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 January 2008 - 06:48 PM

Combo Fix Log:

ComboFix 08-01-30.6 - Jeff Dotson 2008-01-30 16:44:33.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2470 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff Dotson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 15:42 . 2004-08-10 03:00 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-30 15:42 . 2004-08-10 03:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-29 08:46 . 2008-01-29 08:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 14:21 . 2008-01-28 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 08:03 . 2008-01-28 08:04 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-01-26 14:05 . 2008-01-26 14:05 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 14:03 . 2008-01-26 14:04 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-25 10:09 . 2008-01-25 10:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-24 11:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-24 11:44 . 2008-01-24 11:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-24 11:44 . 2008-01-24 11:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 11:32 . 2008-01-28 07:45 2,514 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-24 09:12 . 2008-01-24 09:12 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-24 09:12 . 2008-01-24 09:12 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-24 09:12 . 2008-01-24 09:12 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-24 09:12 . 2008-01-24 09:12 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-24 08:17 . 2008-01-24 08:17 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-14 09:44 . 2008-01-14 09:44 563,712 --a------ C:\Documents and Settings\Jeff Dotson\gotomypc_370.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 23:16 --------- d-----w C:\Program Files\QuickTime
2008-01-30 23:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 23:10 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-30 23:07 --------- d-----w C:\Program Files\iTunes
2008-01-30 23:06 --------- d-----w C:\Program Files\DellSupport
2008-01-30 14:49 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2008-01-28 18:19 --------- d-----w C:\Program Files\Cleaner 5 EZ
2008-01-24 16:12 --------- d-----w C:\Program Files\Symantec
2008-01-24 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 15:28 --------- d-----w C:\Program Files\DIGStream
2008-01-15 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 15:04 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-02 20:35 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-13 09:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 00:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C22FF6B-11B2-43B0-9F1A-8B0C209C1FAB}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-31 17:54 7561216]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]

C:\Documents and Settings\Jeff Dotson\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2007-08-27 15:58:31 2367488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"= {2279F962-FD1A-4205-8A18-AA9AAEE8C973} - C:\WINDOWS\bqxomdo.dll [ ]
"aswmklt"= {5C0F6727-4306-4031-A0B6-9B500C75CB77} - C:\WINDOWS\aswmklt.dll [ ]

R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys [2006-08-09 20:12]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 22:10]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 22:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 02:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 16:45:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 16:45:49
ComboFix-quarantined-files.txt 2008-01-30 23:45:47
ComboFix2.txt 2008-01-30 23:42:21
ComboFix3.txt 2008-01-30 22:18:39
ComboFix4.txt 2008-01-30 15:43:45
.
2008-01-09 15:38:34 --- E O F ---


Cannot get on the internet after running those reports!

Cannot get on the internet after running those reports!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users