Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Core.cache.dsk


  • Please log in to reply
9 replies to this topic

#1 ~Dawn~

~Dawn~

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 04 February 2008 - 09:28 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:13, on 2008-02-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\SYSTEM32\MEMOPCAX.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {85205A08-3A67-4920-9F4B-10CE0C5226D5} - C:\Program Files\MSN\wocedyg83122.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Ecu] C:\WINDOWS\?ppPatch\??anregw.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [comup] C:\WINDOWS\System32\mobjchku.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200645939359
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3783 bytes


ComboFix 08-02.03.1 - Owner 2008-02-04 8:13:50.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.145 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 08:17 . 2008-02-04 08:17 <DIR> d-------- C:\Temp\tn3
2008-02-03 19:20 . 2008-02-03 19:20 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-26 23:13 . 2008-01-26 23:15 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-26 23:13 . 2008-01-26 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SuperAdBlocker.com
2008-01-18 04:09 . 2005-10-20 16:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-01-18 02:48 . 2004-07-01 16:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-18 02:48 . 2004-07-01 16:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-18 02:48 . 2004-07-01 16:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-18 02:48 . 2004-07-01 16:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-18 02:48 . 2004-07-01 16:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-18 02:48 . 2004-07-01 16:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-18 02:48 . 2004-07-01 16:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-18 02:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-18 02:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-18 02:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-18 02:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 02:27 . 2008-01-26 23:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-15 14:02 . 2008-01-15 14:02 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-15 00:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-15 00:03 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qbxtsxyonorx.sys
2008-01-15 00:02 . 2008-01-15 00:02 337,920 --a------ C:\WINDOWS\system32\RCX3058.tmp
2008-01-14 23:47 . 2008-01-14 23:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 23:47 . 2008-01-14 23:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 21:13 . 2008-01-14 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-14 20:51 . 2008-01-14 20:51 <DIR> d-------- C:\Program Files\Uniblue
2008-01-14 20:51 . 2008-01-14 20:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-01-14 11:54 . 2008-01-14 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 10:10 . 2008-01-14 21:35 118,784 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-14 00:04 . 2008-01-14 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 00:03 . 2008-02-04 07:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-14 00:03 . 2008-01-14 00:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-13 22:19 . 2008-02-03 22:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-13 22:19 . 2008-02-03 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 21:52 . 2008-01-14 09:25 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-13 21:49 . 2008-01-14 09:27 <DIR> d--hs---- C:\WINDOWS\Q291cnRuZXkgQ29ubmVsbA
2008-01-13 21:49 . 2007-12-27 08:37 425,984 --a------ C:\WINDOWS\system32\memopcax.dll
2008-01-13 21:49 . 2008-01-17 23:36 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 21:49 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushzcra.exe
2008-01-13 21:49 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-13 21:49 . 2008-01-13 21:49 86,016 --a------ C:\WINDOWS\system32\drivers\nabtsfecc.sys
2008-01-13 21:49 . 2008-01-13 21:49 54,033 --a------ C:\WINDOWS\system32\memouint.exe
2008-01-13 21:48 . 2008-01-14 09:25 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-13 21:48 . 2008-01-13 21:49 <DIR> d-------- C:\Temp\Ryuan1
2008-01-13 21:48 . 2008-02-04 08:17 <DIR> d-------- C:\Temp
2008-01-06 00:33 . 2008-01-06 00:33 <DIR> d-------- C:\Program Files\ISR Solutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 13:08 --------- d-----w C:\Program Files\QuickTime
2008-02-04 03:53 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-04 01:21 --------- d-----w C:\Program Files\Dome4Avon
2008-02-04 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-02 16:12 --------- d-----w C:\Program Files\Trillian
2008-01-15 05:32 --------- d-----w C:\Program Files\Java
2008-01-15 03:42 485,888 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
2007-12-10 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-08 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-08 03:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-07 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-05 18:19 --------- d-----w C:\Program Files\Common Files\Java
2007-12-05 00:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-05 00:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-04 17:05 --------- d-----w C:\Program Files\Microsoft Works
2007-12-04 16:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-04 16:48 --------- d-----w C:\Program Files\Microsoft.NET
2004-07-18 05:54 460,728 ----a-w C:\WINDOWS\Fonts\SETA2C.tmp
2004-07-18 05:54 460,728 ----a-w C:\WINDOWS\Fonts\SET54B.tmp
2004-07-18 05:54 383,140 ----a-w C:\WINDOWS\Fonts\SETA2B.tmp
2004-07-18 05:54 383,140 ----a-w C:\WINDOWS\Fonts\SET54A.tmp
2004-07-18 05:54 355,436 ----a-w C:\WINDOWS\Fonts\SETA2A.tmp
2004-07-18 05:54 355,436 ----a-w C:\WINDOWS\Fonts\SET549.tmp
2004-07-18 04:55 460,728 ----a-w C:\WINDOWS\Fonts\SET535.tmp
2004-07-18 04:55 383,140 ----a-w C:\WINDOWS\Fonts\SET534.tmp
2004-07-18 04:55 355,436 ----a-w C:\WINDOWS\Fonts\SET533.tmp
2004-07-17 18:39 409,280 ----a-w C:\WINDOWS\Fonts\SETA29.tmp
2004-07-17 18:39 409,280 ----a-w C:\WINDOWS\Fonts\SET548.tmp
2004-07-17 18:39 398,372 ----a-w C:\WINDOWS\Fonts\SETA28.tmp
2004-07-17 18:39 398,372 ----a-w C:\WINDOWS\Fonts\SET547.tmp
2004-07-17 18:39 367,112 ----a-w C:\WINDOWS\Fonts\SETA2F.tmp
2004-07-17 18:39 367,112 ----a-w C:\WINDOWS\Fonts\SET54E.tmp
2004-07-17 18:39 352,224 ----a-w C:\WINDOWS\Fonts\SETA2E.tmp
2004-07-17 18:39 352,224 ----a-w C:\WINDOWS\Fonts\SET54D.tmp
2004-07-17 18:39 127,596 ----a-w C:\WINDOWS\Fonts\SETA2D.tmp
2004-07-17 18:39 127,596 ----a-w C:\WINDOWS\Fonts\SET54C.tmp
2004-07-17 17:39 409,280 ----a-w C:\WINDOWS\Fonts\SET532.tmp
2004-07-17 17:39 398,372 ----a-w C:\WINDOWS\Fonts\SET531.tmp
2004-07-17 17:39 367,112 ----a-w C:\WINDOWS\Fonts\SET538.tmp
2004-07-17 17:39 352,224 ----a-w C:\WINDOWS\Fonts\SET537.tmp
2004-07-17 17:39 127,596 ----a-w C:\WINDOWS\Fonts\SET536.tmp
.
<pre>
----a-w		 6,731,312 2008-01-14 16:10:33  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w		   144,784 2008-01-15 03:44:43  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w			40,960 2008-01-15 04:02:03  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w			26,112 2008-01-15 04:02:06  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		 1,460,560 2008-01-15 18:28:09  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 1,560,576 2008-02-02 16:30:43  C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock .exe
----a-w		 1,318,912 2008-02-02 16:10:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		 1,885,464 2008-01-15 02:57:45  C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster .exe
----a-w		   118,784 2008-01-15 03:35:45  C:\WINDOWS\system32\hkcmd .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85205A08-3A67-4920-9F4B-10CE0C5226D5}]
C:\Program Files\MSN\wocedyg83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"Ecu"="C:\WINDOWS\?ppPatch\??anregw.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"comup"="C:\WINDOWS\System32\mobjchku.exe" [ ]
"SuperAdBlocker"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-02-27 11:24 1560576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"RegistryMechanic"="" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 11:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-02-27 11:24 159744 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\mllml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

R1 nabtsfecc;nabtsfecc;C:\WINDOWS\System32\drivers\nabtsfecc.sys [2008-01-13 21:49]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 15:02]
S1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 10:17]
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\System32\DRIVERS\vnet558x.sys [2003-06-12 03:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 08:17:17
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-04 8:20:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 14:19:57
ComboFix2.txt 2008-02-04 13:12:22
ComboFix3.txt 2008-02-04 04:55:21
ComboFix4.txt 2008-02-04 03:56:14
ComboFix5.txt 2008-02-02 16:34:46
.
2008-02-04 09:00:26 --- E O F ---

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 06 February 2008 - 06:35 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ~Dawn~
My name is Richie and i'll be helping you to fix your problems.

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\system32\drivers\nabtsfecc.sys
C:\WINDOWS\system32\drivers\qbxtsxyonorx.sys
C:\WINDOWS\system32\memopcax.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\rushzcra.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\RCX3058.tmp
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
C:\WINDOWS\Fonts\SETA2C.tmp
C:\WINDOWS\Fonts\SET54B.tmp
C:\WINDOWS\Fonts\SETA2B.tmp
C:\WINDOWS\Fonts\SET54A.tmp
C:\WINDOWS\Fonts\SETA2A.tmp
C:\WINDOWS\Fonts\SET549.tmp
C:\WINDOWS\Fonts\SET535.tmp
C:\WINDOWS\Fonts\SET534.tmp
C:\WINDOWS\Fonts\SET533.tmp
C:\WINDOWS\Fonts\SETA29.tmp
C:\WINDOWS\Fonts\SET548.tmp
C:\WINDOWS\Fonts\SETA28.tmp
C:\WINDOWS\Fonts\SET547.tmp
C:\WINDOWS\Fonts\SETA2F.tmp
C:\WINDOWS\Fonts\SET54E.tmp
C:\WINDOWS\Fonts\SETA2E.tmp
C:\WINDOWS\Fonts\SET54D.tmp
C:\WINDOWS\Fonts\SETA2D.tmp
C:\WINDOWS\Fonts\SET54C.tmp
C:\WINDOWS\Fonts\SET532.tmp
C:\WINDOWS\Fonts\SET531.tmp
C:\WINDOWS\Fonts\SET538.tmp
C:\WINDOWS\Fonts\SET537.tmp
C:\WINDOWS\Fonts\SET536.tmp
Folder::
C:\Temp\tn3
C:\WINDOWS\Q291cnRuZXkgQ29ubmVsbA
C:\WINDOWS\system32\edcA01
C:\Temp\Ryuan1
C:\Temp
RenV::
----a-w 6,731,312 2008-01-14 16:10:33  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 144,784 2008-01-15 03:44:43  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w 40,960 2008-01-15 04:02:03  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w 26,112 2008-01-15 04:02:06  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w 1,460,560 2008-01-15 18:28:09  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 1,560,576 2008-02-02 16:30:43  C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock .exe
----a-w 1,318,912 2008-02-02 16:10:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w 1,885,464 2008-01-15 02:57:45  C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster .exe
----a-w 118,784 2008-01-15 03:35:45  C:\WINDOWS\system32\hkcmd .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85205A08-3A67-4920-9F4B-10CE0C5226D5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ecu"=-
"comup"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Driver::
nabtsfecc
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a a new Hijackthis log.
Posted Image
Posted Image

#3 ~Dawn~

~Dawn~
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 08 February 2008 - 09:24 AM

Thank you!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:21, on 2008-02-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200645939359
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3786 bytes

ComboFix 08-02.03.1 - Owner 2008-02-08 8:12:11.12 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\Fonts\SET531.tmp
C:\WINDOWS\Fonts\SET532.tmp
C:\WINDOWS\Fonts\SET533.tmp
C:\WINDOWS\Fonts\SET534.tmp
C:\WINDOWS\Fonts\SET535.tmp
C:\WINDOWS\Fonts\SET536.tmp
C:\WINDOWS\Fonts\SET537.tmp
C:\WINDOWS\Fonts\SET538.tmp
C:\WINDOWS\Fonts\SET547.tmp
C:\WINDOWS\Fonts\SET548.tmp
C:\WINDOWS\Fonts\SET549.tmp
C:\WINDOWS\Fonts\SET54A.tmp
C:\WINDOWS\Fonts\SET54B.tmp
C:\WINDOWS\Fonts\SET54C.tmp
C:\WINDOWS\Fonts\SET54D.tmp
C:\WINDOWS\Fonts\SET54E.tmp
C:\WINDOWS\Fonts\SETA28.tmp
C:\WINDOWS\Fonts\SETA29.tmp
C:\WINDOWS\Fonts\SETA2A.tmp
C:\WINDOWS\Fonts\SETA2B.tmp
C:\WINDOWS\Fonts\SETA2C.tmp
C:\WINDOWS\Fonts\SETA2D.tmp
C:\WINDOWS\Fonts\SETA2E.tmp
C:\WINDOWS\Fonts\SETA2F.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nabtsfecc.sys
C:\WINDOWS\system32\drivers\qbxtsxyonorx.sys
C:\WINDOWS\system32\memopcax.dll
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\RCX3058.tmp
C:\WINDOWS\system32\rushzcra.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nabtsfecc.sys
C:\Temp
C:\Temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\Fonts\SET531.tmp
C:\WINDOWS\Fonts\SET532.tmp
C:\WINDOWS\Fonts\SET533.tmp
C:\WINDOWS\Fonts\SET534.tmp
C:\WINDOWS\Fonts\SET535.tmp
C:\WINDOWS\Fonts\SET536.tmp
C:\WINDOWS\Fonts\SET537.tmp
C:\WINDOWS\Fonts\SET538.tmp
C:\WINDOWS\Fonts\SET547.tmp
C:\WINDOWS\Fonts\SET548.tmp
C:\WINDOWS\Fonts\SET549.tmp
C:\WINDOWS\Fonts\SET54A.tmp
C:\WINDOWS\Fonts\SET54B.tmp
C:\WINDOWS\Fonts\SET54C.tmp
C:\WINDOWS\Fonts\SET54D.tmp
C:\WINDOWS\Fonts\SET54E.tmp
C:\WINDOWS\Fonts\SETA28.tmp
C:\WINDOWS\Fonts\SETA29.tmp
C:\WINDOWS\Fonts\SETA2A.tmp
C:\WINDOWS\Fonts\SETA2B.tmp
C:\WINDOWS\Fonts\SETA2C.tmp
C:\WINDOWS\Fonts\SETA2D.tmp
C:\WINDOWS\Fonts\SETA2E.tmp
C:\WINDOWS\Fonts\SETA2F.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
C:\WINDOWS\Q291cnRuZXkgQ29ubmVsbA
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nabtsfecc.sys
C:\WINDOWS\system32\drivers\qbxtsxyonorx.sys
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\memopcax.dll
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\RCX3058.tmp
C:\WINDOWS\system32\rushzcra.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NABTSFECC
-------\nabtsfecc


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-03 19:20 . 2008-02-03 19:20 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-26 23:13 . 2008-01-26 23:15 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-26 23:13 . 2008-01-26 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SuperAdBlocker.com
2008-01-18 04:09 . 2005-10-20 16:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-01-18 02:48 . 2004-07-01 16:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-18 02:48 . 2004-07-01 16:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-18 02:48 . 2004-07-01 16:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-18 02:48 . 2004-07-01 16:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-18 02:48 . 2004-07-01 16:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-18 02:48 . 2004-07-01 16:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-18 02:48 . 2004-07-01 16:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-18 02:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-18 02:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-18 02:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-18 02:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 02:27 . 2008-01-26 23:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-15 14:02 . 2008-01-15 14:02 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-15 00:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 23:47 . 2008-01-14 23:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 23:47 . 2008-01-14 23:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 21:13 . 2008-01-14 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-14 20:51 . 2008-01-14 20:51 <DIR> d-------- C:\Program Files\Uniblue
2008-01-14 20:51 . 2008-01-14 20:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-01-14 11:54 . 2008-01-14 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 10:10 . 2008-01-14 21:35 118,784 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-14 00:04 . 2008-01-14 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 00:03 . 2008-02-08 08:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-14 00:03 . 2008-01-14 00:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-13 22:19 . 2008-02-08 08:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-13 22:19 . 2008-02-03 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 21:52 . 2008-01-14 09:25 <DIR> d-------- C:\Program Files\Dot1XCfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 14:06 --------- d-----w C:\Program Files\Trillian
2008-02-04 13:08 --------- d-----w C:\Program Files\QuickTime
2008-02-04 03:53 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-04 01:21 --------- d-----w C:\Program Files\Dome4Avon
2008-02-04 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-15 05:32 --------- d-----w C:\Program Files\Java
2008-01-06 06:33 --------- d-----w C:\Program Files\ISR Solutions
2007-12-10 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-08 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-08 03:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-02 10:10 1318912]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-01-14 20:57 1885464]
"SuperAdBlocker"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2008-02-02 10:30 1560576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-14 21:35 118784]
"RegistryMechanic"="" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-01-14 22:02 26112]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-01-14 22:02 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-14 21:44 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 11:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-02-27 11:24 159744 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 15:02]
S1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 10:17]
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\System32\DRIVERS\vnet558x.sys [2003-06-12 03:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 08:16:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-08 8:20:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 14:20:01
ComboFix2.txt 2008-02-04 14:20:06
ComboFix3.txt 2008-02-04 13:12:22
ComboFix4.txt 2008-02-04 04:55:21
ComboFix5.txt 2008-02-04 03:56:14
.
2008-02-08 09:01:13 --- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 08 February 2008 - 09:42 AM

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreloa d.ocx

Find and delete if present:
c:\nores.mht

It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.

I don't see any signs of a firewall either,which you really do need.
You may be behind a hardware firewall(Router/NAT),but it would'nt hurt to install a third party software firewall to henhance protection.
I suggest you download\install one of the following freeware firewalls from below:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/
Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/
Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should take the time to read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

Post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#5 ~Dawn~

~Dawn~
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 08 February 2008 - 02:48 PM

Here's the new reports. Everything seems to be running fine except I'm getting an error message on reboot that says there's an error with UniBlue. Not sure what this is. I've looked in Add/Remove Programs and don't see it listed there and it's not in my program list.

AntiVir PersonalEdition Classic
Report file date: 2008-02-08 09:43

Scanning for 1036370 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: COURTNEY-F9CIC5

Version information:
BUILD.DAT : 269 15604 Bytes 2007-09-10 14:31:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 20:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 19:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 22:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 19:35:20
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 2006-05-31 19:32:40
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 2007-07-10 19:32:46
ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 2007-08-25 00:21:02
ANTIVIR3.VDF : 6.39.1.51 29696 Bytes 2007-08-28 14:22:36
AVEWIN32.DLL : 7.6.0.5 2789888 Bytes 2007-08-30 00:09:10
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 17:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 14:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 20:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 2007-08-03 15:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 14:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 19:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 14:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 18:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 19:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 19:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 16:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2008-02-08 09:43

The scan of running processes will be started
Scan process 'regsvr32.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wmiadap.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiadap.exe' - '1' Module(s) have been scanned

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:48, on 2008-02-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200645939359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202481091687
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4764 bytes

Edited by ~Dawn~, 08 February 2008 - 02:57 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 08 February 2008 - 03:21 PM

Everything seems to be running fine except I'm getting an error message on reboot that says there's an error with UniBlue. Not sure what this is. I've looked in Add/Remove Programs and don't see it listed there and it's not in my program list.

Download the Windows Installer CleanUp Utility from the Microsoft Download Center:
http://download.microsoft.com/download/e/9...1bd/msicuu2.exe
Locate and run msicuu2.exe to install the Windows Installer CleanUp Utility.
Locate and launch the Windows Installer CleanUp Utility on the Start menu.
From the Windows Installer CleanUp Utility window,locate and highlight with a single left click Uniblue RegistryBooster 2 or just Uniblue in the list if its present,then click the Remove button.
Once the application has been removed,click the Exit button to close the utility.
Restart your pc.


If no joy above,try this:
Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\Uniblue
C:\Documents and Settings\Owner\Application Data\Uniblue


Return to OTMoveIt, right click on the "Paste Custom List of Files/Folders to Move" window under the "yellow" bar at the bottom,and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"=-

Post a new Hijackthis log please.
Also make sure you posted the entire contents of the Avira AntiVir Personal Edition Classic scan report.
Posted Image
Posted Image

#7 ~Dawn~

~Dawn~
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 14 February 2008 - 08:34 AM

I didn't see UniBlue on the list with the Windows Installer Cleanup so I did the OTMoveIt and here's the report

[Custom Input]
< C:\Program Files\Uniblue >
C:\Program Files\Uniblue\RegistryBooster 2 moved successfully.
C:\Program Files\Uniblue moved successfully.
< C:\Documents and Settings\Owner\Application Data\Uniblue >
C:\Documents and Settings\Owner\Application Data\Uniblue\Registry Booster2 moved successfully.
C:\Documents and Settings\Owner\Application Data\Uniblue moved successfully.

OTMoveIt2 v1.0.20 log created on 02142008_072340


Worked... Didn't get the error on reboot. Thanks again for all your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:29, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200645939359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202481091687
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3935 bytes

I rescanned my system and here's the complete log...

AntiVir PersonalEdition Classic
Report file date: 2008-02-10 22:03

Scanning for 1096761 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: COURTNEY-F9CIC5

Version information:
BUILD.DAT : 270 15603 Bytes 2007-09-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 20:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 19:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 22:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 19:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 15:41:00
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 2007-12-14 15:41:00
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 2008-02-08 15:41:00
ANTIVIR3.VDF : 7.0.2.114 2048 Bytes 2008-02-08 15:41:00
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2008-02-10 15:41:04
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 17:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 14:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 20:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2008-02-10 15:41:05
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 14:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 19:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 14:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 18:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 19:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 19:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 16:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2008-02-10 22:03

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'SABSVC.EXE' - '1' Module(s) have been scanned
Scan process 'SAdBlock.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'trillian.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'RealPlay.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Smc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '30' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!
C:\QooBox\Quarantine\catchme2008-02-08_ 81617.73.zip
[0] Archive type: ZIP
--> nabtsfecc.sys
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.TO
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47ffd3de.qua'!
C:\QooBox\Quarantine\C\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4812d40f.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\mllml.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '481bd40b.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\mllml.exe.vir
[DETECTION] Is the Trojan horse TR/Drop.Agent.dgo.188
[INFO] The file was moved to '481bd40c.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3058.tmp.vir
[DETECTION] Is the Trojan horse TR/Drop.Agent.dgo.188
[INFO] The file was moved to '4807d3e5.qua'!
C:\Sandbox\Owner\DefaultBox\drive\C\WINDOWS\System32\kb1111p.dll
[DETECTION] Is the Trojan horse TR/Agent.TT
[INFO] The file was deleted!
C:\Sandbox\Owner\DefaultBox\user\current\nax.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Sandbox\Owner\DefaultBox\user\current\Local Settings\Temp\svchost.exe
[DETECTION] Is the Trojan horse TR/Agent.dje.1
[INFO] A backup was created as '4812d4d0.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\Sandbox\Owner\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\CP07IV89\rundll32[1].exe
[DETECTION] Is the Trojan horse TR/Agent.dje.1
[INFO] The file was moved to '481dd5b0.qua'!
C:\Sandbox\Owner\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\CPAFGJ0X\load[1].php
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP262\A0026874.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e0458a.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP262\A0026875.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e0458e.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP262\A0026876.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.dgo.188
[INFO] The file was moved to '47e04590.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP263\A0026915.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e04594.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP264\A0026916.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e04595.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP264\A0026917.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.dgo.188
[INFO] The file was moved to '47e04597.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP264\A0026922.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e04599.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP267\A0027118.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e045af.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP267\A0027119.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e045b4.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP267\A0027120.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.dgo.188
[INFO] The file was moved to '47e045b6.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP268\A0027140.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e045bb.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP268\A0027142.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.dgo.188
[INFO] The file was moved to '47e045bd.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP268\A0027176.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e045c1.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP268\A0027177.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e045c3.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP268\A0027178.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e045c4.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP281\A0031681.dll
[DETECTION] Is the Trojan horse TR/Agent.TT
[INFO] The file was moved to '47e04701.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP281\A0031682.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '47e04703.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP281\A0031683.exe
[DETECTION] Is the Trojan horse TR/Agent.dje.1
[INFO] The file was moved to '47e04704.qua'!
C:\System Volume Information\_restore{EA55AE51-A92C-4D26-B408-6D3305C1B842}\RP281\A0031684.exe
[DETECTION] Is the Trojan horse TR/Agent.dje.1
[INFO] The file was moved to '47e04705.qua'!
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
[DETECTION] Is the Trojan horse TR/Dldr.VB.cdq
[INFO] The file was moved to '482248ad.qua'!


End of the scan: 2008-02-11 07:21
Used time: 9:17:15 min

The scan has been done completely.

5197 Scanning directories
238368 Files were scanned
33 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
7 files were deleted
0 files were repaired
27 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
238335 Files not concerned
2574 Archives were scanned
2 Warnings
0 Notes

Edited by ~Dawn~, 14 February 2008 - 08:59 AM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 February 2008 - 09:03 AM

The only other thing that has been a problem since this all started is that I cannot open links from my Outlook email, I just get a blank IE page.

Lets try this:
Download/unzip iereg.bat thats attached below.
Once unzipped double click on iereg.bat
You may see a black command window flash,thats normal.
Restart your pc.

How Do I Unzip a File in Windows XP?
http://consumer.installshield.com/kb.asp?id=q108326

If still no joy and you have the Microsoft Windows XP installation disk.
Click Start>Run,type sfc /scannow then press Ok.
Leave a space in between sfc and /scannow
Reboot when you've done.

Attached Files


Edited by RichieUK, 14 February 2008 - 09:04 AM.

Posted Image
Posted Image

#9 ~Dawn~

~Dawn~
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 14 February 2008 - 04:37 PM

I forgot to mention something else. Since we started doing these fixes my clock keeps converting to military time even though I correct it to show the h:mm format. How can I get that to stay.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 February 2008 - 04:44 PM

I forgot to mention something else. Since we started doing these fixes my clock keeps converting to military time even though I correct it to show the h:mm format. How can I get that to stay.

We can sort that out soon,other than that hows your pc running now.
Post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users