Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Rootkit, Smitfraud, Core.cache.dsk


  • This topic is locked This topic is locked
15 replies to this topic

#1 midimad

midimad

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 31 January 2008 - 07:01 PM

System generates 1 or 2 URLs such as http://url.adtrgt.com/cpv....etc Ident as /NNC.MGRS or HTTP://multi-pops.com Ident as/Smitfraud-C.CoreService and opens IE. URLs are detected by Spybot IE Helper. If I leave them then they sit there. If I deny them, more appear.

PC Tools SpyWare detector finds rootkit agents and rootkit with file name core.cache.dsk, but says it is only partially able to remove the problem and it reappears. Spybot find the same and calls it smitfraud, says it has solved the problem but it does not. I have done all the things in your pre reporting checklist.

I have tried using Combo fix, Cleaned all using ATF-Cleaner, Run CCleaner, Tried Spyware blaster and SUPERAntispyware and killed the file with Killbox - delete on restart option. I have also searched my running processes with TUT. All to no avail.

So... over to you. I hope you can help. here is the Hijack.

Many thanks,

J

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38:54, on 31/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\DigitalPersona\Bin\DPWinLct.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\DigitalPersona\Bin\DpHost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Spyware Doctor\svcntaux.exe
H:\Program Files\Spyware Doctor\swdsvc.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Spyware Doctor\SDTrayApp.exe
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\WINDOWS\system32\ctfmon.exe
H:\PROGRA~1\MICROS~3\wcescomm.exe
H:\Program Files\sMaRTcaPs\SmartCaps.exe
H:\PROGRA~1\MICROS~3\rapimgr.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Windows Live\Messenger\usnsvc.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Pando Networks\Pando\pando.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
H:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - H:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B101B3C-174E-4C22-85C9-0745225E477A} - (no file)
O2 - BHO: (no name) - {30DD19F5-40BB-472B-B729-5768C08625EE} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - H:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54A1DC65-4DFF-4149-83D2-65D4929BCDD7} - (no file)
O2 - BHO: (no name) - {5A9109BB-1B2E-4F0C-A1DF-614A5C8884C0} - (no file)
O2 - BHO: (no name) - {73F24B2F-4F7A-4BC2-A685-0333C49D1042} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BEB2FF7-E19C-4523-BE02-68045A05D2B3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: (no name) - {F1FF5184-699C-4007-B17C-E2F26D21334F} - (no file)
O2 - BHO: (no name) - {FE4A4552-D59A-41C2-8DFA-024A6091ECAD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [D-Link AirPlus G] H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DPAgnt] H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] H:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "H:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "H:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - Startup: sMaRTcaPs.lnk = H:\Program Files\sMaRTcaPs\SmartCaps.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191855750421
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcdcdd - H:\WINDOWS\
O20 - Winlogon Notify: DPWLN - H:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - H:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - H:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10125 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 31 January 2008 - 10:18 PM

Hello midimad,

Welcome to Bleeping Computer :thumbsup:

Please delete the ComboFix you have now, and it's accompanying folder C:\Qoobox. Then grab a fresh copy :

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 01 February 2008 - 04:05 AM

Hi Teacup, thanks for the response. Here is the Combofix followed by the HJT.

ComboFix 08-02.01.5 - jj 2008-02-01 8:48:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.430 [GMT 0:00]
Running from: H:\Documents and Settings\jj\Desktop\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
H:\WINDOWS\system32\agtywnys.ini
H:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
H:\WINDOWS\system32\itkmaopl.ini
H:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 00:17 . 2007-01-18 12:00 3,968 --a------ H:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-31 22:16 . 2008-01-31 22:21 3,894 --a------ H:\WINDOWS\system32\tmp.reg
2008-01-31 11:41 . 2008-02-01 08:54 54,156 --ah----- H:\WINDOWS\QTFont.qfn
2008-01-31 11:41 . 2008-01-31 11:41 1,409 --a------ H:\WINDOWS\QTFont.for
2008-01-31 10:05 . 2008-01-31 10:05 <DIR> d-------- H:\Program Files\ToniArts
2008-01-31 10:03 . 2008-01-31 10:03 <DIR> d-------- H:\Program Files\FastStone Capture
2008-01-29 15:00 . 2008-01-29 15:00 167,545 --a------ H:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-29 14:42 . 2008-01-29 14:42 552 --a------ H:\WINDOWS\system32\d3d8caps.dat
2008-01-29 12:41 . 2008-01-29 12:42 1,216,345 --a------ H:\SDFix.exe
2008-01-29 01:41 . 2008-01-29 01:41 <DIR> d-------- H:\Program Files\CCleaner
2008-01-25 09:18 . 2008-01-25 09:18 <DIR> d-------- H:\WINDOWS\ERUNT
2008-01-25 08:37 . 2008-01-29 02:05 <DIR> d-------- H:\Program Files\SUPERAntiSpyware
2008-01-25 08:37 . 2008-01-25 08:37 <DIR> d-------- H:\Documents and Settings\jj\Application Data\SUPERAntiSpyware.com
2008-01-25 08:37 . 2008-01-25 08:37 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-24 10:47 . 2008-01-24 10:47 <DIR> d-------- H:\Program Files\PandoBar
2008-01-24 10:47 . 2008-01-24 10:47 <DIR> d-------- H:\Program Files\Pando Networks
2008-01-22 00:19 . 2008-02-01 08:51 <DIR> d-------- H:\Documents and Settings\jj\Application Data\SiteAdvisor
2008-01-22 00:19 . 2008-01-22 00:19 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-21 23:59 . 2008-01-24 12:37 <DIR> d-------- H:\Program Files\SpywareBlaster
2008-01-21 23:59 . 2005-08-25 18:19 115,920 --a------ H:\WINDOWS\system32\MSINET.OCX
2008-01-21 22:04 . 2008-01-31 11:33 292 --a------ H:\WINDOWS\wininit.ini
2008-01-20 18:02 . 2008-01-20 18:02 <DIR> d--h----- H:\WINDOWS\PIF
2008-01-20 17:08 . 2008-01-20 17:08 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2008-01-20 15:28 . 2008-01-20 15:28 86,144 --a------ H:\WINDOWS\system32\drivers\tdpipee.sys
2008-01-20 12:42 . 2008-01-20 13:04 <DIR> d-------- H:\bm2000
2008-01-20 12:42 . 2008-01-20 12:42 209,920 --a------ H:\WINDOWS\iun3401.exe
2008-01-19 10:30 . 2008-01-19 09:00 102,664 --a------ H:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-18 18:03 . 2008-01-18 18:14 <DIR> d-------- H:\Documents and Settings\jj\.SunDownloadManager
2008-01-18 11:08 . 2008-01-31 10:03 <DIR> d-------- H:\Documents and Settings\jj\.housecall6.6
2008-01-16 10:27 . 2008-01-16 10:27 0 --a------ H:\WINDOWS\hpqEmlSz.INI
2008-01-14 15:32 . 2008-01-14 15:32 <DIR> d-------- H:\Documents and Settings\jands\Application Data\Grisoft
2008-01-14 15:31 . 2004-08-04 07:56 221,184 --a------ H:\WINDOWS\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 08:53 --------- d---a-w H:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 10:05 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-01-31 09:30 --------- d-----w H:\Program Files\Spyware Doctor
2008-01-25 12:40 74,240 ----a-w H:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-25 12:40 56,832 ----a-w H:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-25 08:37 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 17:57 --------- d-----w H:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 17:08 --------- d-----w H:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 15:47 --------- d-----w H:\Documents and Settings\jj\Application Data\uTorrent
2008-01-18 18:20 --------- d-----w H:\Program Files\Java
2008-01-16 10:42 --------- d-----w H:\Program Files\Norton Security Scan
2007-12-19 10:33 --------- d-----w H:\Program Files\Common Files\Symantec Shared
2007-12-17 13:51 --------- d-----w H:\Program Files\HP
2007-12-16 22:15 --------- d-----w H:\Documents and Settings\jj\Application Data\Grisoft
2007-12-16 12:29 --------- d-----w H:\Program Files\Common Files\eSellerate
2007-12-16 12:29 --------- d-----w H:\Program Files\AnswersThatWork
2007-12-16 11:45 --------- d-----w H:\Program Files\Microsoft ActiveSync
2007-12-15 18:26 --------- d-----w H:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-15 13:15 --------- d-----w H:\Program Files\Trend Micro
2007-12-14 22:21 --------- d-----w H:\Documents and Settings\All Users\Application Data\McAfee
2007-12-14 16:46 --------- d-----w H:\Program Files\Lavasoft
2007-12-14 11:08 --------- d-----w H:\Documents and Settings\All Users\Application Data\LogiShrd
2007-12-14 11:07 0 ---ha-w H:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-14 11:07 0 ---ha-w H:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-12-14 11:07 --------- d-----w H:\Documents and Settings\jj\Application Data\Logitech
2007-12-14 11:06 --------- d-----w H:\Program Files\Common Files\Logishrd
2007-12-14 11:05 --------- d-----w H:\Program Files\Logitech
2007-12-14 11:05 --------- d-----w H:\Documents and Settings\jj\Application Data\InstallShield
2007-12-14 11:05 --------- d-----w H:\Documents and Settings\All Users\Application Data\Logitech
2007-12-14 09:51 --------- d-----w H:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-13 23:53 --------- d-----w H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 18:49 --------- d-----w H:\Documents and Settings\jj\Application Data\InstallShield Installation Information
2007-12-13 18:35 --------- d-----w H:\Program Files\Unreal Tournament 3
2007-12-13 18:35 --------- d-----w H:\Program Files\AGEIA Technologies
2007-12-13 18:04 --------- d-----w H:\Program Files\SystemRequirementsLab
2007-12-13 18:04 --------- d-----w H:\Documents and Settings\jj\Application Data\SystemRequirementsLab
2007-12-13 17:51 --------- d-----w H:\Program Files\Common Files\Java
2007-12-11 12:00 --------- d-----w H:\Program Files\OUP
2007-11-20 23:49 14,336 ----a-w H:\Program Files\wmdmhelper.dll
2007-11-20 23:48 98,304 ----a-w H:\Program Files\rpshellextension.dll
2007-11-20 23:48 95,816 ----a-w H:\Program Files\rdsf3260.dll
2007-11-20 23:48 94,208 ----a-w H:\Program Files\rpbrowserrecordupdate.dll
2007-11-20 23:48 9,216 ----a-w H:\Program Files\rphelperapp.exe
2007-11-20 23:48 86,016 ----a-w H:\Program Files\rpplugprot.dll
2007-11-20 23:48 81,920 ----a-w H:\Program Files\tsasdk.dll
2007-11-20 23:48 719,360 ----a-w H:\Program Files\dbghelp.dll
2007-11-20 23:48 7,168 ----a-w H:\Program Files\realjbox.exe
2007-11-20 23:48 692,224 ----a-w H:\Program Files\dtdr3260.dll
2007-11-20 23:48 685 ----a-w H:\Program Files\RecordingManager.exe.manifest
2007-11-20 23:48 682 ----a-w H:\Program Files\realplay.exe.manifest
2007-11-20 23:48 655,360 ----a-w H:\Program Files\rjbres.dll
2007-11-20 23:48 65,536 ----a-w H:\Program Files\rjwmapln.dll
2007-11-20 23:48 645,992 ----a-w H:\Program Files\normal.vs
2007-11-20 23:48 63,040 ----a-w H:\Program Files\rpshell.dll
2007-11-20 23:48 61,495 ----a-w H:\Program Files\ssimages.vs
2007-11-20 23:48 6,656 ----a-w H:\Program Files\fixrjb.exe
2007-11-20 23:48 57,762 ----a-w H:\Program Files\howto.chm
2007-11-20 23:48 57,344 ----a-w H:\Program Files\tpasdk.dll
2007-11-20 23:48 568 ----a-w H:\Program Files\fpsectbl
2007-11-20 23:48 53,248 ----a-w H:\Program Files\rpau3260.dll
2007-11-20 23:48 53,098 ----a-w H:\Program Files\presets.rnx
2007-11-20 23:48 52,609 ----a-w H:\Program Files\RealNetworks License.html
2007-11-20 23:48 52,609 ----a-w H:\Program Files\playrlic.html
2007-11-20 23:48 50,548 ----a-w H:\Program Files\RealNetworks License.txt
2007-11-20 23:48 50,548 ----a-w H:\Program Files\playrlic.txt
2007-11-20 23:48 50 ----a-w H:\Program Files\strs23.dat
2007-11-20 23:48 480 ----a-w H:\Program Files\keys.dat
2007-11-20 23:48 43,088 ----a-w H:\Program Files\rpshellsearch.dll
2007-11-20 23:48 41,472 ----a-w H:\Program Files\mmcdda32.dll
2007-11-20 23:48 40,154 ----a-w H:\Program Files\realplay.chm
2007-11-20 23:48 370,296 ----a-w H:\Program Files\rpbrowserrecordplugin.dll
2007-11-20 23:48 36,352 ----a-w H:\Program Files\ierjplug.dll
2007-11-20 23:48 339,968 ----a-w H:\Program Files\rjdlg.dll
2007-11-20 23:48 32,768 ----a-w H:\Program Files\rpwa3260.dll
2007-11-20 23:48 23,558 ----a-w H:\Program Files\freeoffers.ico
2007-11-20 23:48 221 ----a-w H:\Program Files\subscription.rnx
2007-11-20 23:48 214,560 ----a-w H:\Program Files\realplay.exe
2007-11-20 23:48 2,851 ----a-w H:\Program Files\cdroms.cfg
2007-11-20 23:48 19,456 ----a-w H:\Program Files\tnetdtct.dll
2007-11-20 23:48 19,456 ----a-w H:\Program Files\rjprog.dll
2007-11-20 23:48 177 ----a-w H:\Program Files\freeoffers.rnx
2007-11-20 23:48 17,846 ----a-w H:\Program Files\videotest.rm
2007-11-20 23:48 16,296 ----a-w H:\Program Files\realtfon.fon
2007-11-20 23:48 153,176 ----a-w H:\Program Files\RecordingManager.exe
2007-11-20 23:48 139,264 ----a-w H:\Program Files\DUNZIP32.dll
2007-11-20 23:48 13 ----a-w H:\Program Files\strs26.dat
2007-11-20 23:48 119,808 ----a-w H:\Program Files\waiting.avi
2007-11-20 23:48 11,444 ----a-w H:\Program Files\frw.bmp
2007-11-20 23:48 102,400 ----a-w H:\Program Files\HXAudioDeviceHook.dll
2007-11-20 23:48 1,209 ----a-w H:\Program Files\flvplay.swf
2007-11-20 23:48 1,030 ----a-w H:\Program Files\autoplaylist.dat
2007-11-20 23:48 1,026 ----a-w H:\Program Files\browserrecord.swf
2005-05-11 22:36 12,288 ----a-w H:\WINDOWS\Fonts\RandFont.dll
2007-06-13 10:23 770,048 --sh--r H:\WINDOWS\system32\mxvnrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B101B3C-174E-4C22-85C9-0745225E477A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30DD19F5-40BB-472B-B729-5768C08625EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54A1DC65-4DFF-4149-83D2-65D4929BCDD7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A9109BB-1B2E-4F0C-A1DF-614A5C8884C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73F24B2F-4F7A-4BC2-A685-0333C49D1042}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BEB2FF7-E19C-4523-BE02-68045A05D2B3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1FF5184-699C-4007-B17C-E2F26D21334F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE4A4552-D59A-41C2-8DFA-024A6091ECAD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2008-01-24 10:47 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="H:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"Creative WebCam Tray"="H:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-29 06:13 258048]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"H/PC Connection Agent"="H:\PROGRA~1\MICROS~3\wcescomm.exe" [2005-11-15 18:44 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="H:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-03-15 12:43 1933312]
"ANIWZCS2Service"="H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2003-08-21 15:11 32768]
"NvCplDaemon"="H:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 H:\WINDOWS\system32\nwiz.exe]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"DPAgnt"="H:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 17:24 913408]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 H:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"HPDJ Taskbar Utility"="H:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 07:19 172032]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 07:34 16143872 H:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"FLMOFFICE4DMOUSE"="H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe" [2007-10-25 00:25 370176]
"QuickTime Task"="H:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="H:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"NvMediaCenter"="H:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SDTray"="H:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-25 12:11 1065800]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 10:43 69632 H:\WINDOWS\Alcmtr.exe]

H:\Documents and Settings\jj\Start Menu\Programs\Startup\
sMaRTcaPs.lnk - H:\Program Files\sMaRTcaPs\SmartCaps.exe [2007-11-18 23:39:50 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcdd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
H:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 17:29 102400 H:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 h:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

R1 tdpipee;tdpipee;H:\WINDOWS\system32\drivers\tdpipee.sys [2008-01-20 15:28]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;H:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 15:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;H:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 15:59]
R3 V0080Dev;Creative Camera VF0080 Driver;H:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 07:11]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 16:06:03 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 08:56:28 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 08:54:09
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: H:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> H:\Program Files\DigitalPersona\Bin\DpOFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
H:\Program Files\Windows Defender\MsMpEng.exe
H:\Program Files\DigitalPersona\Bin\DPWinLct.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\DigitalPersona\Bin\DpHost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Spyware Doctor\svcntaux.exe
H:\Program Files\Spyware Doctor\swdsvc.exe
H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
H:\Program Files\Spyware Doctor\SDTrayApp.exe
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\Creative\Shared Files\CamTray.exe
H:\PROGRA~1\MICROS~3\wcescomm.exe
H:\Program Files\sMaRTcaPs\SmartCaps.exe
H:\PROGRA~1\MICROS~3\rapimgr.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-01 8:57:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 08:57:32
ComboFix2.txt 2008-01-29 14:05:39
.
2008-01-25 08:28:23 --- E O F ---

*******************************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:02:15, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\DigitalPersona\Bin\DPWinLct.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\DigitalPersona\Bin\DpHost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Spyware Doctor\svcntaux.exe
H:\Program Files\Spyware Doctor\swdsvc.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\System32\alg.exe
H:\Program Files\Spyware Doctor\SDTrayApp.exe
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\Creative\Shared Files\CamTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\PROGRA~1\MICROS~3\wcescomm.exe
H:\Program Files\sMaRTcaPs\SmartCaps.exe
H:\PROGRA~1\MICROS~3\rapimgr.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Windows Live\Messenger\usnsvc.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Pando Networks\Pando\pando.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
H:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - H:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B101B3C-174E-4C22-85C9-0745225E477A} - (no file)
O2 - BHO: (no name) - {30DD19F5-40BB-472B-B729-5768C08625EE} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - H:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54A1DC65-4DFF-4149-83D2-65D4929BCDD7} - (no file)
O2 - BHO: (no name) - {5A9109BB-1B2E-4F0C-A1DF-614A5C8884C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BEB2FF7-E19C-4523-BE02-68045A05D2B3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: (no name) - {F1FF5184-699C-4007-B17C-E2F26D21334F} - (no file)
O2 - BHO: (no name) - {FE4A4552-D59A-41C2-8DFA-024A6091ECAD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [D-Link AirPlus G] H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DPAgnt] H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] H:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "H:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "H:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - Startup: sMaRTcaPs.lnk = H:\Program Files\sMaRTcaPs\SmartCaps.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191855750421
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcdcdd - H:\WINDOWS\
O20 - Winlogon Notify: DPWLN - H:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - H:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - H:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10047 bytes

Looking froward to your thoughts. :thumbsup:

Midimad

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 01 February 2008 - 01:21 PM

Hello,

Here we go...........

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {0B101B3C-174E-4C22-85C9-0745225E477A} - (no file)
O2 - BHO: (no name) - {30DD19F5-40BB-472B-B729-5768C08625EE} - (no file)
O2 - BHO: (no name) - {54A1DC65-4DFF-4149-83D2-65D4929BCDD7} - (no file)
O2 - BHO: (no name) - {5A9109BB-1B2E-4F0C-A1DF-614A5C8884C0} - (no file)
O2 - BHO: (no name) - {7BEB2FF7-E19C-4523-BE02-68045A05D2B3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F1FF5184-699C-4007-B17C-E2F26D21334F} - (no file)
O2 - BHO: (no name) - {FE4A4552-D59A-41C2-8DFA-024A6091ECAD} - (no file)
O20 - Winlogon Notify: ddcdcdd - H:\WINDOWS\


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
H:\WINDOWS\system32\drivers\core.cache.dsk
H:\WINDOWS\system32\drivers\tdpipee.sys

Driver::
tdpipee

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B101B3C-174E-4C22-85C9-0745225E477A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30DD19F5-40BB-472B-B729-5768C08625EE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54A1DC65-4DFF-4149-83D2-65D4929BCDD7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A9109BB-1B2E-4F0C-A1DF-614A5C8884C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73F24B2F-4F7A-4BC2-A685-0333C49D1042}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BEB2FF7-E19C-4523-BE02-68045A05D2B3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1FF5184-699C-4007-B17C-E2F26D21334F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE4A4552-D59A-41C2-8DFA-024A6091ECAD}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcdd]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 01 February 2008 - 03:01 PM

Hi Tea, Done as requested.
No pop ups but SpyBot Sand D is intercepting Registry changes with alphanumeric strings every time I open IE.

Sounds worrying......

Logs below Thanks for a prompt response:)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:37, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\DigitalPersona\Bin\DPWinLct.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\DigitalPersona\Bin\DpHost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Spyware Doctor\svcntaux.exe
H:\Program Files\Spyware Doctor\swdsvc.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\Spyware Doctor\SDTrayApp.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\Creative\Shared Files\CamTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\PROGRA~1\MICROS~3\wcescomm.exe
H:\Program Files\sMaRTcaPs\SmartCaps.exe
H:\PROGRA~1\MICROS~3\rapimgr.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Windows Live\Messenger\usnsvc.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
H:\Program Files\Pando Networks\Pando\pando.exe
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
H:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - H:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - H:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [D-Link AirPlus G] H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DPAgnt] H:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] H:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "H:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "H:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - Startup: sMaRTcaPs.lnk = H:\Program Files\sMaRTcaPs\SmartCaps.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191855750421
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - H:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - H:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - H:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - H:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 9342 bytes


+++++++++++++++++++++++++++++++++++++++++++++++

ComboFix 08-02.01.5 - jj 2008-02-01 19:55:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.371 [GMT 0:00]
Running from: H:\Documents and Settings\jj\Desktop\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 00:17 . 2007-01-18 12:00 3,968 --a------ H:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-31 22:16 . 2008-01-31 22:21 3,894 --a------ H:\WINDOWS\system32\tmp.reg
2008-01-31 11:41 . 2008-02-01 19:05 54,156 --ah----- H:\WINDOWS\QTFont.qfn
2008-01-31 11:41 . 2008-01-31 11:41 1,409 --a------ H:\WINDOWS\QTFont.for
2008-01-31 10:05 . 2008-01-31 10:05 <DIR> d-------- H:\Program Files\ToniArts
2008-01-31 10:03 . 2008-01-31 10:03 <DIR> d-------- H:\Program Files\FastStone Capture
2008-01-29 14:42 . 2008-01-29 14:42 552 --a------ H:\WINDOWS\system32\d3d8caps.dat
2008-01-29 12:41 . 2008-01-29 12:42 1,216,345 --a------ H:\SDFix.exe
2008-01-29 01:41 . 2008-01-29 01:41 <DIR> d-------- H:\Program Files\CCleaner
2008-01-25 09:18 . 2008-01-25 09:18 <DIR> d-------- H:\WINDOWS\ERUNT
2008-01-25 08:37 . 2008-01-29 02:05 <DIR> d-------- H:\Program Files\SUPERAntiSpyware
2008-01-25 08:37 . 2008-01-25 08:37 <DIR> d-------- H:\Documents and Settings\jj\Application Data\SUPERAntiSpyware.com
2008-01-25 08:37 . 2008-01-25 08:37 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-24 10:47 . 2008-01-24 10:47 <DIR> d-------- H:\Program Files\PandoBar
2008-01-24 10:47 . 2008-01-24 10:47 <DIR> d-------- H:\Program Files\Pando Networks
2008-01-22 00:19 . 2008-02-01 19:47 <DIR> d-------- H:\Documents and Settings\jj\Application Data\SiteAdvisor
2008-01-22 00:19 . 2008-01-22 00:19 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-21 23:59 . 2008-01-24 12:37 <DIR> d-------- H:\Program Files\SpywareBlaster
2008-01-21 23:59 . 2005-08-25 18:19 115,920 --a------ H:\WINDOWS\system32\MSINET.OCX
2008-01-21 22:04 . 2008-01-31 11:33 292 --a------ H:\WINDOWS\wininit.ini
2008-01-20 18:02 . 2008-01-20 18:02 <DIR> d--h----- H:\WINDOWS\PIF
2008-01-20 17:08 . 2008-01-20 17:08 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2008-01-20 12:42 . 2008-01-20 13:04 <DIR> d-------- H:\bm2000
2008-01-20 12:42 . 2008-01-20 12:42 209,920 --a------ H:\WINDOWS\iun3401.exe
2008-01-19 10:30 . 2008-01-19 09:00 102,664 --a------ H:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-18 18:03 . 2008-01-18 18:14 <DIR> d-------- H:\Documents and Settings\jj\.SunDownloadManager
2008-01-18 11:08 . 2008-01-31 10:03 <DIR> d-------- H:\Documents and Settings\jj\.housecall6.6
2008-01-16 10:27 . 2008-01-16 10:27 0 --a------ H:\WINDOWS\hpqEmlSz.INI
2008-01-14 15:32 . 2008-01-14 15:32 <DIR> d-------- H:\Documents and Settings\jands\Application Data\Grisoft
2008-01-14 15:31 . 2004-08-04 07:56 221,184 --a------ H:\WINDOWS\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 19:00 --------- d---a-w H:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 10:05 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-01-31 09:30 --------- d-----w H:\Program Files\Spyware Doctor
2008-01-25 12:40 74,240 ----a-w H:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-25 12:40 56,832 ----a-w H:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-25 08:37 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 17:57 --------- d-----w H:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 17:55 12,632 ----a-w H:\WINDOWS\system32\lsdelete.exe
2008-01-20 17:08 --------- d-----w H:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 15:47 --------- d-----w H:\Documents and Settings\jj\Application Data\uTorrent
2008-01-18 18:20 --------- d-----w H:\Program Files\Java
2008-01-16 10:42 --------- d-----w H:\Program Files\Norton Security Scan
2007-12-19 10:33 --------- d-----w H:\Program Files\Common Files\Symantec Shared
2007-12-17 13:51 --------- d-----w H:\Program Files\HP
2007-12-16 22:15 --------- d-----w H:\Documents and Settings\jj\Application Data\Grisoft
2007-12-16 12:29 --------- d-----w H:\Program Files\Common Files\eSellerate
2007-12-16 12:29 --------- d-----w H:\Program Files\AnswersThatWork
2007-12-16 11:45 --------- d-----w H:\Program Files\Microsoft ActiveSync
2007-12-15 18:26 --------- d-----w H:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-15 13:15 --------- d-----w H:\Program Files\Trend Micro
2007-12-14 22:21 --------- d-----w H:\Documents and Settings\All Users\Application Data\McAfee
2007-12-14 16:46 --------- d-----w H:\Program Files\Lavasoft
2007-12-14 11:08 --------- d-----w H:\Documents and Settings\All Users\Application Data\LogiShrd
2007-12-14 11:07 0 ---ha-w H:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-14 11:07 0 ---ha-w H:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-12-14 11:07 --------- d-----w H:\Documents and Settings\jj\Application Data\Logitech
2007-12-14 11:06 --------- d-----w H:\Program Files\Common Files\Logishrd
2007-12-14 11:05 --------- d-----w H:\Program Files\Logitech
2007-12-14 11:05 --------- d-----w H:\Documents and Settings\jj\Application Data\InstallShield
2007-12-14 11:05 --------- d-----w H:\Documents and Settings\All Users\Application Data\Logitech
2007-12-14 09:51 --------- d-----w H:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-13 23:53 --------- d-----w H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 18:49 --------- d-----w H:\Documents and Settings\jj\Application Data\InstallShield Installation Information
2007-12-13 18:35 --------- d-----w H:\Program Files\Unreal Tournament 3
2007-12-13 18:35 --------- d-----w H:\Program Files\AGEIA Technologies
2007-12-13 18:04 --------- d-----w H:\Program Files\SystemRequirementsLab
2007-12-13 18:04 --------- d-----w H:\Documents and Settings\jj\Application Data\SystemRequirementsLab
2007-12-13 17:51 --------- d-----w H:\Program Files\Common Files\Java
2007-12-11 12:00 --------- d-----w H:\Program Files\OUP
2007-11-20 23:49 14,336 ----a-w H:\Program Files\wmdmhelper.dll
2007-11-20 23:48 98,304 ----a-w H:\Program Files\rpshellextension.dll
2007-11-20 23:48 95,816 ----a-w H:\Program Files\rdsf3260.dll
2007-11-20 23:48 94,208 ----a-w H:\Program Files\rpbrowserrecordupdate.dll
2007-11-20 23:48 9,216 ----a-w H:\Program Files\rphelperapp.exe
2007-11-20 23:48 86,016 ----a-w H:\Program Files\rpplugprot.dll
2007-11-20 23:48 81,920 ----a-w H:\Program Files\tsasdk.dll
2007-11-20 23:48 719,360 ----a-w H:\Program Files\dbghelp.dll
2007-11-20 23:48 7,168 ----a-w H:\Program Files\realjbox.exe
2007-11-20 23:48 692,224 ----a-w H:\Program Files\dtdr3260.dll
2007-11-20 23:48 685 ----a-w H:\Program Files\RecordingManager.exe.manifest
2007-11-20 23:48 682 ----a-w H:\Program Files\realplay.exe.manifest
2007-11-20 23:48 655,360 ----a-w H:\Program Files\rjbres.dll
2007-11-20 23:48 65,536 ----a-w H:\Program Files\rjwmapln.dll
2007-11-20 23:48 645,992 ----a-w H:\Program Files\normal.vs
2007-11-20 23:48 63,040 ----a-w H:\Program Files\rpshell.dll
2007-11-20 23:48 61,495 ----a-w H:\Program Files\ssimages.vs
2007-11-20 23:48 6,656 ----a-w H:\Program Files\fixrjb.exe
2007-11-20 23:48 57,762 ----a-w H:\Program Files\howto.chm
2007-11-20 23:48 57,344 ----a-w H:\Program Files\tpasdk.dll
2007-11-20 23:48 568 ----a-w H:\Program Files\fpsectbl
2007-11-20 23:48 53,248 ----a-w H:\Program Files\rpau3260.dll
2007-11-20 23:48 53,098 ----a-w H:\Program Files\presets.rnx
2007-11-20 23:48 52,609 ----a-w H:\Program Files\RealNetworks License.html
2007-11-20 23:48 52,609 ----a-w H:\Program Files\playrlic.html
2007-11-20 23:48 50,548 ----a-w H:\Program Files\RealNetworks License.txt
2007-11-20 23:48 50,548 ----a-w H:\Program Files\playrlic.txt
2007-11-20 23:48 50 ----a-w H:\Program Files\strs23.dat
2007-11-20 23:48 499,712 ----a-w H:\WINDOWS\system32\msvcp71.dll
2007-11-20 23:48 480 ----a-w H:\Program Files\keys.dat
2007-11-20 23:48 43,088 ----a-w H:\Program Files\rpshellsearch.dll
2007-11-20 23:48 41,472 ----a-w H:\Program Files\mmcdda32.dll
2007-11-20 23:48 40,154 ----a-w H:\Program Files\realplay.chm
2007-11-20 23:48 370,296 ----a-w H:\Program Files\rpbrowserrecordplugin.dll
2007-11-20 23:48 36,352 ----a-w H:\Program Files\ierjplug.dll
2007-11-20 23:48 339,968 ----a-w H:\Program Files\rjdlg.dll
2007-11-20 23:48 32,768 ----a-w H:\Program Files\rpwa3260.dll
2007-11-20 23:48 23,558 ----a-w H:\Program Files\freeoffers.ico
2007-11-20 23:48 221 ----a-w H:\Program Files\subscription.rnx
2007-11-20 23:48 214,560 ----a-w H:\Program Files\realplay.exe
2007-11-20 23:48 2,851 ----a-w H:\Program Files\cdroms.cfg
2007-11-20 23:48 19,456 ----a-w H:\Program Files\tnetdtct.dll
2007-11-20 23:48 19,456 ----a-w H:\Program Files\rjprog.dll
2007-11-20 23:48 177 ----a-w H:\Program Files\freeoffers.rnx
2007-11-20 23:48 17,846 ----a-w H:\Program Files\videotest.rm
2007-11-20 23:48 16,296 ----a-w H:\Program Files\realtfon.fon
2007-11-20 23:48 153,176 ----a-w H:\Program Files\RecordingManager.exe
2007-11-20 23:48 139,264 ----a-w H:\Program Files\DUNZIP32.dll
2007-11-20 23:48 13 ----a-w H:\Program Files\strs26.dat
2007-11-20 23:48 119,808 ----a-w H:\Program Files\waiting.avi
2007-11-20 23:48 11,444 ----a-w H:\Program Files\frw.bmp
2007-11-20 23:48 102,400 ----a-w H:\Program Files\HXAudioDeviceHook.dll
2007-11-20 23:48 1,209 ----a-w H:\Program Files\flvplay.swf
2007-11-20 23:48 1,030 ----a-w H:\Program Files\autoplaylist.dat
2007-11-20 23:48 1,026 ----a-w H:\Program Files\browserrecord.swf
2007-11-15 10:07 76,304 ----a-w H:\WINDOWS\system32\KemXML.dll
2007-11-15 10:07 170,512 ----a-w H:\WINDOWS\system32\kemutb.dll
2007-11-15 10:07 141,840 ----a-w H:\WINDOWS\system32\KemUtil.dll
2007-11-15 10:07 117,264 ----a-w H:\WINDOWS\system32\KemWnd.dll
2007-11-15 10:06 301,656 ----a-w H:\WINDOWS\system32\BtCoreIf.dll
2007-11-07 09:26 721,920 ----a-w H:\WINDOWS\system32\lsasrv.dll
2007-06-13 10:23 770,048 --sh--r H:\WINDOWS\system32\mxvnrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= H:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2008-01-24 10:47 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="H:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"Creative WebCam Tray"="H:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-29 06:13 258048]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"H/PC Connection Agent"="H:\PROGRA~1\MICROS~3\wcescomm.exe" [2005-11-15 18:44 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="H:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-03-15 12:43 1933312]
"ANIWZCS2Service"="H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2003-08-21 15:11 32768]
"NvCplDaemon"="H:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 H:\WINDOWS\system32\nwiz.exe]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"DPAgnt"="H:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 17:24 913408]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 H:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"HPDJ Taskbar Utility"="H:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 07:19 172032]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 07:34 16143872 H:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"FLMOFFICE4DMOUSE"="H:\Program Files\Trust\MI-4550XP WIRELESS OPTICAL MINI MOUSE\Mouse32a.exe" [2007-10-25 00:25 370176]
"QuickTime Task"="H:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="H:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"NvMediaCenter"="H:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SDTray"="H:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-25 12:11 1065800]

H:\Documents and Settings\jj\Start Menu\Programs\Startup\
sMaRTcaPs.lnk - H:\Program Files\sMaRTcaPs\SmartCaps.exe [2007-11-18 23:39:50 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
H:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 17:29 102400 H:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 h:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

R3 dpK0Bx01;Fingerprint Reader Filter Driver;H:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 15:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;H:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 15:59]
R3 V0080Dev;Creative Camera VF0080 Driver;H:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 07:11]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 16:06:03 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 19:02:55 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 19:57:12
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: H:\WINDOWS\explorer.exe [6.00.2900.3156]
-> H:\Program Files\DigitalPersona\Bin\DpOFeedb.dll
.
Completion time: 2008-02-01 19:58:12
ComboFix-quarantined-files.txt 2008-02-01 19:58:08
ComboFix2.txt 2008-02-01 19:08:41
ComboFix3.txt 2008-02-01 08:57:38
ComboFix4.txt 2008-01-29 14:05:39
.
2008-01-25 08:28:23 --- E O F ---

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 01 February 2008 - 03:20 PM

Hello,

You're welcome. :blink:

Spybot was doing its job. :thumbsup: Actually I should have had you totally disable it so it wouldn't bug you about all the changes that ComboFix had to make. My bad. What we did was alter the registry to get those bad entries yanked out of there, and Spybot was telling you about it.

Please delete ComboFix and it's accompanying folder, C:\Qoobox

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 01 February 2008 - 05:35 PM

Tea, Here is the Scan Result. I have deleted encrypted files that I recognize and that had titles that included peoples names etc.

M

BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 22:16:07 01/02/2008
Log path : H:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1201904167_1_02.xml

Scan Paths:Path0000: E:\
Path0001: H:\
Path0002: L:\


Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes


Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : No
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :


Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None


Scan engines summaryNumber of virus signatures : 978601
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7


Overall scan summaryScanned items : 140848
Infected items : 9
Suspicious items : 0
Resolved items : 1
Individual viruses found : 3
Scanned directories : 4483
Scanned boot sectors : 5
Scanned archives : 574
Input-output errors : 20
Scan time : 00:00:33:37
Files per second : 69


Scanned processes summaryScanned : 54
Infected : 0


Scanned registry keys summaryScanned : 339
Infected : 0


Scanned cookies summaryScanned : 0
Infected : 0


Remaining issues:Object Name Threat Name Final Status
H:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll Adware.MyWebSearch.DW Disinfect Failed
H:\Program Files\PandoBar\bar\1.bin\NPPANDBR.DLL Adware.MyWebSearch.DW Disinfect Failed
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\Outlook\Outlook.pst=][Subject: ??][From: John and Susan]=]activate.exe Generic.Malware.G!SKI!!FLMWX!!Bg.B6F4B1F9 Disinfect Failed
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\Outlook\Outlook.pst=][Subject: ??][From: John and Susan]=]activate.exe Generic.Malware.G!SKI!!FLMWX!!Bg.B6F4B1F9 Disinfect Failed
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst=][From: John and Susan]=]activate.exe Generic.Malware.G!SKI!!FLMWX!!Bg.B6F4B1F9 Disinfect Failed
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst=][From: John and Susan]=]activate.exe Generic.Malware.G!SKI!!FLMWX!!Bg.B6F4B1F9 Disinfect Failed
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst=][From: John and Susan]=]activate.exe Generic.Malware.G!SKI!!FLMWX!!Bg.B6F4B1F9 Disinfect Failed
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst=][From: John and Susan]=]activate.exe Generic.Malware.G!SKI!!FLMWX!!Bg.B6F4B1F9 Disinfect Failed
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]CmnIds.vbs Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/arrow_right.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/btn_signup_52x20.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/more_info.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/sidetable_bottom.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/sidetable_bottom_red.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/sidetable_top.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/sidetable_top_red.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/transpix.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]images/watermark_mys_150x130.gif Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]oemcfg.vbs Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]OEMIds.vbs Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]valert.htm Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]valert_old.htm Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=]hs~valert.htm Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService1.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip=]core.cache.dsk Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService3.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService4.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StatblasterAllfiles.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StatblasterAllfiles.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vanbot.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vanbot.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vanbot1.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vanbot1.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vanbot2.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vanbot2.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip=]removalfile.bat Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip=]sbRecovery.reg Password-Protected Items No action was possible
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip=]sbRecovery.ini Password-Protected Items No action was possible
H:\Documents and Settings\jj\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 08-55-41.SBU=]backup.db Password-Protected Items No action was possible
H:\Documents and Settings\jj\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 09-09-57.SBU=]backup.db Password-Protected Items No action was possible
H:\Documents and Settings\jj\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-25-2008 - 15-50-32.SBU=]backup.db


H:\Documents and Settings\jj\Desktop\latest cddec07outlookbackupencryted.pst=][ Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\MI.zip=]MI.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/DATA.TAG Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/data1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/data1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/lang.dat Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/layout.bin Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/os.dat Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/Setup.bmp Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/Setup.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/SETUP.INI Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/setup.ins Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/setup.lid Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_INST32I.EX_ Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_ISDel.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_Setup.dll Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_sys1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_sys1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_user1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/Disk1/_user1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/disk2/data2.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/disk3/data3.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Plus/disk4/data4.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]Documentation/desktop.pdf Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]Documentation/phone.pdf Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]DS/demo32.EXE Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]DS/ds32.dll Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]DS/LSeries.dbd Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/DATA.TAG Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/data1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/data1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/lang.dat Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/layout.bin Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/os.dat Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/Setup.bmp Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/Setup.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/SETUP.INI Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/setup.ins Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/setup.lid Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_INST32I.EX_ Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_ISDel.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_Setup.dll Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_sys1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_sys1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_user1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/Disk1/_user1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]SMS/disk2/data2.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/DATA.TAG Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/data1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/data1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/lang.dat Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/layout.bin Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/os.dat Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/Setup.bmp Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/Setup.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/SETUP.INI Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/setup.ins Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/setup.lid Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_INST32I.EX_ Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_ISDel.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_Setup.dll Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_sys1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_sys1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_user1.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/Disk1/_user1.hdr Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/disk2/data2.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/disk3/data3.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/disk4/data4.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/disk5/data5.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]TrueSync Desktop/disk6/data6.cab Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]CE Driver/LSetup.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]_motlser.inf Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]Autorun.inf Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]Readme.txt Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\p144578q.zip=]Setup.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Desktop\Misc files\2005 Computer downloads\Old downloads\setup.zip=]setup.exe Password-Protected Items No action was possible
H:\Documents and Settings\jj\Local Settings\Application Data\Microsoft\Outlook\Outlook\Outlook.pst]transaction.zip=]transaction.txt Password-Protected Items No action was possible


Resolved issues:Object Name Threat Name Final Status
H:\System Volume Information\_restore{C0A87699-BC4E-4EF7-8FE0-F9A11829B287}\RP4\A0001476.dll=](MS-Compress 5) Adware.NetAdware.CI Deleted

#8 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 01 February 2008 - 05:52 PM

Tea This was the result of my virus checker after runningBit defender

Attached Files



#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 01 February 2008 - 06:04 PM

Hello,

Are you still getting the alerts from Spybot? They should have stopped now. :blink: I guess you can see that all the old things, or unrecognizable ones, should be emptied from Outlook.

Running all right? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 01 February 2008 - 06:07 PM

Tea This was the result of my virus checker after runningBit defender

Do you have a path for the top one? The second one is part of ComboFix, and not a threat at all, and the last one, I'm betting on cookies. ;)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 01 February 2008 - 06:36 PM

Tea, Still getting urls but only with IE and only when I visit a site. They were spontaneous before. Also the type of URL seems less malicious. Spy doctor does not find rootkit agents or core.cache.dsk thank goodness and it cleared all the messages that I sent you in the screen grab. See the screen atached to see what I get now - one for each site visited.

Attached Files



#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 04 February 2008 - 06:04 PM

Hello,

yes, just cookies. :thumbsup: How is it running after a few days?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 05 February 2008 - 05:52 AM

Thanks Tea, By using Mozilla, which I prefer, I don't have any problems now.

I really appreciate your help. It is gratifying in this age of computerized service response systems to get such responsive personal service.

I have tried to make a donation but Paypal will not accept credit cards for this type of payment and I do not have any other way of getting the money to you. I would give you a smile but Smilies don't seem to work. ( No that is not a request for another investigation!!!!). :thumbsup:

Thanks again,

M

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:18 AM

Posted 08 February 2008 - 09:01 PM

Hello mysterious "M" :wacko:

You're most welcome for the help. :thumbsup: Are you still having trouble with IE after a few days? You might try updating it from the Microsoft site, and we're on IE7 now, not IE6. I myself prefer Firefox, and use it exclusively, but to make your system as secure as possible, you should update IE anyway. :blink:

Please let me know.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 midimad

midimad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iberia
  • Local time:06:18 AM

Posted 11 February 2008 - 06:36 AM

Tea, It was a great pleasure to do business with you. Personal service is pretty rare these days. I have sent a donation. Don't spend it all at once!


M




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users