Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Clean?


  • This topic is locked This topic is locked
18 replies to this topic

#1 sjuanie

sjuanie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 15 February 2008 - 05:05 PM

There are a few items I am not sure about, one being ddccy. I just want to make sure I am not infected.

Thanks,
Steve




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:36 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Infection Prevention\Google\Google

Updater\GoogleUpdater.exe
C:\INFECTION PREVENTION\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.livinghopeoakdale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default

user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Infection

Prevention\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

(no file)
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)

- http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety

Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...r/wlscbase370.c

ab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/microsoftu...rols/en/x86/cli

ent/wuweb_site.cab?1189661198875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...rols/en/x86/cli

ent/muweb_site.cab?1189661096203
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddccy - C:\WINDOWS\
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: gebbbcd - gebbbcd.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - Unknown owner -

C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe (file missing)
O23 - Service: Biometric Authentication Service (DpHost) - Unknown owner

- C:\Program Files\DigitalPersona\Bin\DpHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner

- C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner

- C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog

Devices\SoundMAX\spkrmon.exe
O23 - Service: VWPR - Unknown owner -

C:\DOCUME~1\Manager\LOCALS~1\Temp\VWPR.exe (file missing)
O24 - Desktop Component 0: (no name) - About:Home

--
End of file - 6664 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 15 February 2008 - 08:35 PM

Hello sjuanie,

Welcome to Bleeping Computer :thumbsup:

The current formatting of your log makes it difficult to read. Please open Notepad:
On top, click Format >uncheck Word Wrap.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 15 February 2008 - 11:26 PM

Sorry about that and thanks for the response, I was hoping to get this finished by Saturday noon if possible.

Here is combofix log.

ComboFix 08-02-16.2 - Manager 2008-02-15 20:14:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.759 [GMT -8:00]
Running from: C:\Documents and Settings\Manager\Local Settings\Temporary Internet Files\Content.IE5\YF9N5611\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Manager\Application Data\ASKS~1
C:\Documents and Settings\Manager\Application Data\YMANTE~1
C:\Documents and Settings\Manager\err.log
C:\Documents and Settings\Manager\My Documents\FNTS~1
C:\Documents and Settings\youth\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\youth\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\crosof~1
C:\Program Files\icroso~1
C:\Program Files\svhost
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\mbols~1
C:\WINDOWS\system32\acgfbjxy.ini
C:\WINDOWS\system32\ajptycrb.ini
C:\WINDOWS\system32\algrihwi.ini
C:\WINDOWS\system32\arjpcqhv.ini
C:\WINDOWS\system32\bmvutorv.ini
C:\WINDOWS\system32\bndpribi.ini
C:\WINDOWS\system32\casxcoga.ini
C:\WINDOWS\system32\cqeqvrvt.ini
C:\WINDOWS\system32\diiewblg.ini
C:\WINDOWS\system32\dtopvpth.ini
C:\WINDOWS\system32\ejuivbqm.ini
C:\WINDOWS\system32\eqiaruvb.ini
C:\WINDOWS\system32\erjkogxa.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\fsmmpfvq.ini
C:\WINDOWS\system32\gaavhnnl.ini
C:\WINDOWS\system32\glrrsssy.ini
C:\WINDOWS\system32\gnmxuofu.ini
C:\WINDOWS\system32\gpnmqrca.ini
C:\WINDOWS\system32\gqjrqurs.ini
C:\WINDOWS\system32\H7
C:\WINDOWS\system32\hkowxibu.ini
C:\WINDOWS\system32\hrljvvvs.ini
C:\WINDOWS\system32\inhgfdgj.ini
C:\WINDOWS\system32\jxauwhtw.ini
C:\WINDOWS\system32\kmyfhfbk.ini
C:\WINDOWS\system32\mysndyvt.ini
C:\WINDOWS\system32\ngomxauw.ini
C:\WINDOWS\system32\nqmvlkgx.ini
C:\WINDOWS\system32\nsufxwnw.ini
C:\WINDOWS\system32\pekvubjt.ini
C:\WINDOWS\system32\pujihbpq.ini
C:\WINDOWS\system32\qautnybe.ini
C:\WINDOWS\system32\qvnhsocm.ini
C:\WINDOWS\system32\rbfnahvm.ini
C:\WINDOWS\system32\rjhegpkj.ini
C:\WINDOWS\system32\tqhxtuim.ini
C:\WINDOWS\system32\tvpjwopt.ini
C:\WINDOWS\system32\uctpnydd.ini
C:\WINDOWS\system32\uetplcsd.ini
C:\WINDOWS\system32\vfaspoql.ini
C:\WINDOWS\system32\vquoovbv.ini
C:\WINDOWS\system32\vrddxmgw.ini
C:\WINDOWS\system32\vybcoxoi.ini
C:\WINDOWS\system32\wdivbnkg.ini
C:\WINDOWS\system32\wncjuxip.ini
C:\WINDOWS\system32\yfxseodj.ini
C:\WINDOWS\system32\ylxwdblr.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 13:02 . 2008-02-15 13:02 <DIR> d-------- C:\VundoFix Backups
2008-02-15 10:04 . 2008-02-15 10:39 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 09:17 . 2008-02-15 09:19 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-15 08:16 . 2008-02-15 14:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-15 08:16 . 2008-02-15 14:08 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\SUPERAntiSpyware.com
2008-02-15 08:16 . 2008-02-15 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-15 02:18 . 2008-02-15 02:18 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-15 02:08 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-15 02:08 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-15 00:08 . 2008-02-15 14:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-14 23:43 . 2008-02-14 23:44 <DIR> d-------- C:\grisoft
2008-02-14 23:18 . 2008-02-15 14:12 <DIR> d-------- C:\Program Files\Infection Prevention
2008-02-14 22:23 . 2008-02-14 22:42 <DIR> d-------- C:\INFECTION PREVENTION
2008-02-14 21:41 . 2008-02-15 02:23 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-14 20:34 . 2008-02-15 02:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 20:10 . 2008-02-15 14:06 <DIR> d-------- C:\Program Files\Google
2008-02-14 20:10 . 2008-02-14 20:10 23,552 --a------ C:\WINDOWS\system32\drivers\phooks.sys
2008-02-14 20:09 . 2008-02-14 20:09 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\Grisoft
2008-02-14 19:30 . 2008-02-14 23:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-02-14 19:30 . 2008-02-14 21:14 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\Spyware Terminator
2008-02-14 19:30 . 2008-02-14 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-14 19:08 . 2008-02-14 21:46 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\AVG7
2008-02-14 19:08 . 2008-02-14 19:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-14 19:07 . 2008-02-14 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 19:07 . 2008-02-15 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 16:29 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-02-14 16:29 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-02-14 16:29 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-02-14 16:29 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-02-14 16:29 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-02-14 16:29 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-02-14 16:29 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-02-14 16:27 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-14 16:26 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-02-14 16:25 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-02-14 16:24 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-02-14 16:23 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-02-14 16:22 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-02-14 16:21 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-14 16:20 . 2004-08-04 00:56 363,520 --a--c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-02-14 16:19 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-14 16:18 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-02-14 16:17 . 2004-08-04 00:56 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-02-14 16:16 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-02-14 16:15 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-02-14 16:14 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-02-14 16:13 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-14 16:12 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-02-14 16:11 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-14 16:10 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-02-14 16:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-14 16:08 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-02-14 16:08 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-02-14 16:08 . 2001-08-17 12:48 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2008-02-14 16:08 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-14 16:08 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-02-14 16:08 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-02-14 13:04 . 2008-02-14 13:04 <DIR> d-------- C:\Program Files\Snapshot
2008-02-11 18:51 . 2008-02-15 01:37 <DIR> d-------- C:\My Shout
2008-02-11 16:22 . 2008-02-11 16:22 10 --a------ C:\WINDOWS\WININIT.INI
2008-02-10 09:52 . 2008-02-10 09:55 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-10 09:39 . 2008-02-10 09:39 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-20 18:35 . 2008-01-20 18:35 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-01-20 18:35 . 2008-01-20 18:35 4,286 --a------ C:\WINDOWS\system32\cruise-006.ico
2008-01-17 19:20 . 2008-01-19 17:28 15,518 --ahs---- C:\WINDOWS\system32\yvnoioim.ini
2008-01-17 18:20 . 2008-01-17 18:20 15,398 --ahs---- C:\WINDOWS\system32\vepjmnuj.ini
2008-01-17 16:20 . 2008-01-17 18:14 15,338 --ahs---- C:\WINDOWS\system32\qvokkxue.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 06:40 --------- d-----w C:\Documents and Settings\Manager\Application Data\U3
2008-02-15 02:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 02:15 --------- d-----w C:\Program Files\DigitalPersona
2008-02-13 19:27 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-01-20 02:35 --------- d-----w C:\Program Files\MediaShout 2
2008-01-09 23:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-31 04:13 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-09-05 00:05 738,944 -csha-w C:\WINDOWS\system32\rhrxdqka.ini2
2007-09-06 03:08 355 -csha-w C:\WINDOWS\system32\wekbllci.ini2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 335,872 2004-05-26 06:35:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 229,952 2006-09-25 21:54:24 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 256,576 2006-10-30 17:36:36 C:\Program Files\iTunes\iTunesHelper.exe

-c--a-w 282,624 2006-09-24 10:24:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-10-26 02:58:18 C:\Program Files\QuickTime\qttask.exe

-c--a-w 155,648 2003-07-13 09:49:48 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 05:24 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Use for Projector\Start Menu\Programs\Startup\
MediaShout 2.lnk - C:\Program Files\MediaShout 2\MediaShout 2.exe [2005-03-10 20:07:23 1351680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-09-08 15:45 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbcd]
gebbbcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Manager^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\Manager\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Manager^Start Menu^Programs^Startup^Shortcut to New Text Document (2).txt.lnk]
path=C:\Documents and Settings\Manager\Start Menu\Programs\Startup\Shortcut to New Text Document (2).txt.lnk
backup=C:\WINDOWS\pss\Shortcut to New Text Document (2).txt.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVDCreator2.exe]

R0 phooks;phooks;C:\WINDOWS\system32\drivers\phooks.sys [2008-02-14 20:10]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys []
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 16:58]
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 16:59]
S3 VWPR;VWPR;C:\DOCUME~1\Manager\LOCALS~1\Temp\VWPR.exe []
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 17:53]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-11-17 01:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38e15134-9df1-11db-a99d-f7c93055be34}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e11ece5-6fae-11dc-aaac-8f2e91749ec1}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf5be9a6-b1ac-11dc-ab1c-c5c0660fb28e}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2006-09-24 00:45:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 20:16:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-15 20:17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 04:17:50
.
2008-02-15 10:19:19 --- E O F ---


And here is HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:57 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\INFECTION PREVENTION\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livinghopeoakdale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189661198875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189661096203
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddccy - C:\WINDOWS\
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: gebbbcd - gebbbcd.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe (file missing)
O23 - Service: Biometric Authentication Service (DpHost) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DpHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VWPR - Unknown owner - C:\DOCUME~1\Manager\LOCALS~1\Temp\VWPR.exe (file missing)
O24 - Desktop Component 0: (no name) - About:Home

--
End of file - 5758 bytes


Thanks,
Steve

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 16 February 2008 - 01:18 AM

Hello Steve,

I guess you can see that this machine was pretty badly infected, and for quite a while. :thumbsup: Still, I think we'll be done by your deadline......this is a client's machine? How is it running?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: ddccy - C:\WINDOWS\
O20 - Winlogon Notify: gebbbcd - gebbbcd.dll (file missing)
O23 - Service: VWPR - Unknown owner - C:\DOCUME~1\Manager\LOCALS~1\Temp\VWPR.exe (file missing)
O24 - Desktop Component 0: (no name) - About:Home


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbcd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccy]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 16 February 2008 - 05:15 AM

Yes, I have cleaned out 2,000 + infections so far, running various scans. It is for a church that runs a program called shout media, it stopped working and their tech couldnt fix it, I have fixed that and thought I would also clean it out for them. They need it by Saturday afternoon, so I do appreciate the help. It actually runs very good now, one other problem I cant seem to fix is they want to get rid of Digitalpersona Password Manager, they tried ADD/REMOVE and it wouldnt, I have managed to remove it from ADD/REMOVE using RevoUninstaller, but it still pops up when restarting. I would think if they reinstalled they would then be able to use ADD/REMOVE. The problem with all this is they let some of the kids have access to this PC.

Anyway, there is more to this story, but here are the scans you requested.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:15 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.exe
C:\INFECTION PREVENTION\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livinghopeoakdale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189661198875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189661096203
O20 - AppInit_DLLs:
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe (file missing)
O23 - Service: Biometric Authentication Service (DpHost) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DpHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5348 bytes


And Combofix Log.

ComboFix 08-02-16.2 - Manager 2008-02-16 1:55:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.723 [GMT -8:00]
Running from: C:\Documents and Settings\Manager\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Manager\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 20:55 . 2008-02-15 20:55 <DIR> d-------- C:\WINDOWS\TEMPImages
2008-02-15 20:55 . 2008-02-15 21:00 <DIR> d-------- C:\Program Files\MyUninstallerACE
2008-02-15 20:43 . 2008-02-15 20:43 42 --a------ C:\WINDOWS\system32\AK083E209605E394C.lie
2008-02-15 20:42 . 2008-02-15 20:53 <DIR> d-------- C:\Program Files\Perfect Uninstaller
2008-02-15 20:35 . 2008-02-15 20:35 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\URSoft
2008-02-15 13:02 . 2008-02-15 13:02 <DIR> d-------- C:\VundoFix Backups
2008-02-15 10:04 . 2008-02-15 10:39 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 09:17 . 2008-02-15 09:19 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-15 08:16 . 2008-02-15 14:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-15 08:16 . 2008-02-15 14:08 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\SUPERAntiSpyware.com
2008-02-15 08:16 . 2008-02-15 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-15 02:18 . 2008-02-15 02:18 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-15 02:08 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-15 02:08 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-15 00:08 . 2008-02-15 14:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-14 23:18 . 2008-02-15 14:12 <DIR> d-------- C:\Program Files\Infection Prevention
2008-02-14 22:23 . 2008-02-14 22:42 <DIR> d-------- C:\INFECTION PREVENTION
2008-02-14 21:41 . 2008-02-15 02:23 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-14 20:34 . 2008-02-15 20:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 20:10 . 2008-02-15 14:06 <DIR> d-------- C:\Program Files\Google
2008-02-14 20:10 . 2008-02-14 20:10 23,552 --a------ C:\WINDOWS\system32\drivers\phooks.sys
2008-02-14 20:09 . 2008-02-14 20:09 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\Grisoft
2008-02-14 19:30 . 2008-02-14 23:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-02-14 19:30 . 2008-02-14 21:14 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\Spyware Terminator
2008-02-14 19:30 . 2008-02-14 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-14 19:08 . 2008-02-14 21:46 <DIR> d-------- C:\Documents and Settings\Manager\Application Data\AVG7
2008-02-14 19:08 . 2008-02-14 19:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-14 19:07 . 2008-02-14 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 19:07 . 2008-02-15 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 16:29 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-02-14 16:29 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-02-14 16:29 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-02-14 16:29 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-02-14 16:29 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-02-14 16:29 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-02-14 16:29 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-02-14 16:27 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-14 16:26 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-02-14 16:25 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-02-14 16:24 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-02-14 16:23 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-02-14 16:22 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-02-14 16:21 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-14 16:20 . 2004-08-04 00:56 363,520 --a--c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-02-14 16:19 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-14 16:18 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-02-14 16:17 . 2004-08-04 00:56 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-02-14 16:16 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-02-14 16:15 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-02-14 16:14 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-02-14 16:13 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-14 16:12 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-02-14 16:11 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-14 16:10 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-02-14 16:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-14 16:08 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-02-14 16:08 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-02-14 16:08 . 2001-08-17 12:48 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2008-02-14 16:08 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-14 16:08 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-02-14 16:08 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-02-14 13:04 . 2008-02-14 13:04 <DIR> d-------- C:\Program Files\Snapshot
2008-02-11 18:51 . 2008-02-15 01:37 <DIR> d-------- C:\My Shout
2008-02-11 16:22 . 2008-02-11 16:22 10 --a------ C:\WINDOWS\WININIT.INI
2008-02-10 09:52 . 2008-02-10 09:55 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-10 09:39 . 2008-02-10 09:39 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-20 18:35 . 2008-01-20 18:35 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-01-20 18:35 . 2008-01-20 18:35 4,286 --a------ C:\WINDOWS\system32\cruise-006.ico
2008-01-17 19:20 . 2008-01-19 17:28 15,518 --ahs---- C:\WINDOWS\system32\yvnoioim.ini
2008-01-17 18:20 . 2008-01-17 18:20 15,398 --ahs---- C:\WINDOWS\system32\vepjmnuj.ini
2008-01-17 16:20 . 2008-01-17 18:14 15,338 --ahs---- C:\WINDOWS\system32\qvokkxue.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 06:40 --------- d-----w C:\Documents and Settings\Manager\Application Data\U3
2008-02-15 02:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 02:15 --------- d-----w C:\Program Files\DigitalPersona
2008-02-13 19:27 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-01-20 02:35 --------- d-----w C:\Program Files\MediaShout 2
2008-01-09 23:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-31 04:13 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-09-05 00:05 738,944 -csha-w C:\WINDOWS\system32\rhrxdqka.ini2
2007-09-06 03:08 355 -csha-w C:\WINDOWS\system32\wekbllci.ini2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 335,872 2004-05-26 06:35:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 229,952 2006-09-25 21:54:24 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 256,576 2006-10-30 17:36:36 C:\Program Files\iTunes\iTunesHelper.exe

-c--a-w 282,624 2006-09-24 10:24:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-10-26 02:58:18 C:\Program Files\QuickTime\qttask.exe

-c--a-w 155,648 2003-07-13 09:49:48 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 05:24 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Use for Projector\Start Menu\Programs\Startup\
MediaShout 2.lnk - C:\Program Files\MediaShout 2\MediaShout 2.exe [2005-03-10 20:07:23 1351680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-09-08 15:45 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Manager^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\Manager\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Manager^Start Menu^Programs^Startup^Shortcut to New Text Document (2).txt.lnk]
path=C:\Documents and Settings\Manager\Start Menu\Programs\Startup\Shortcut to New Text Document (2).txt.lnk
backup=C:\WINDOWS\pss\Shortcut to New Text Document (2).txt.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVDCreator2.exe]

R0 phooks;phooks;C:\WINDOWS\system32\drivers\phooks.sys [2008-02-14 20:10]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys []
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 16:58]
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 16:59]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 17:53]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-11-17 01:42]
S4 VWPR;VWPR;C:\DOCUME~1\Manager\LOCALS~1\Temp\VWPR.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38e15134-9df1-11db-a99d-f7c93055be34}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e11ece5-6fae-11dc-aaac-8f2e91749ec1}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf5be9a6-b1ac-11dc-ab1c-c5c0660fb28e}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2006-09-24 00:45:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 01:55:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 1:56:04
ComboFix-quarantined-files.txt 2008-02-16 09:56:02
ComboFix2.txt 2008-02-16 04:17:54
.
2008-02-15 10:19:19 --- E O F ---

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 16 February 2008 - 12:21 PM

Hello,

Thanks for telling me. :thumbsup: Well....after that scan I can see that there is even more going on than we saw at first. :blink:

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run it.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 16 February 2008 - 01:14 PM

Thanks Tea, I am doing this on my own free time as I know you do, so I do appreciate it. I assumed you just wanted option #1, so here it is.



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 02/16/2008
The current time is: 10:07:57.56


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/25/2006 01:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/13/2003 01:49 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

05/25/2004 10:35 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 3 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 13 2003 "C:\WINDOWS\system32\bak\NeroCheck.exe"
335872 May 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"


end of report


Thanks,
Steve

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 16 February 2008 - 01:34 PM

Hi Steve,

You're most welcome. :blink: Someone needs to have a talk with the Pastor about the kiddos getting on this machine. It's a real mess. What we're doing with FixAWF is unscrambling the legit files and putting them back where they belong. That should give you an idea of what this particular infection does, and there were/are several on this machine. :thumbsup:

You assumed right sir! :wacko: Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 16 February 2008 - 01:57 PM

I have spoke with him, I am going to recommend a program called Trustware BufferZone Pro. It isolates all web-based activities, including email and IM software, at the application level. So applications stay sheathed in a virtualized shell, write requests are diverted to a virtual folder, it doesnt rely on definition updates, it blocks against both known and unknown threats equally. It also protects against harmful files on removable media. Now I havent tried it yet, but they offer to pay you $500.00 if it fails to protect, with a few exceptions of course. But it was tested by a 3rd party and worked like a charm.

Ok, here is the scan. I hope I did it right, this was a bit more confusing.



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sat 02/16/2008
The current time is: 10:46:06.35


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/25/2006 01:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/13/2003 01:49 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

05/25/2004 10:35 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

229952 Sep 25 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 3 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 13 2003 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 13 2003 "C:\WINDOWS\system32\bak\NeroCheck.exe"
335872 May 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 May 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"


end of report

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 16 February 2008 - 02:08 PM

Good. I'm glad you're working on preventing this from happening again. :wacko:

I can tell at a glance you did this right. :thumbsup: If you'll notice, now the files look more like duplicates, with the same dates and everything. What this next step will do is eliminate the bad folders the files were residing in :

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\WINDOWS\system32\bak
C:\Program Files\QuickTime\bak
C:\Program Files\iTunes\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.


Option 4

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

In your reply, please post a new HijackThis log and let me know how it's running. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 16 February 2008 - 02:19 PM

Here is FindAWF log:


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sat 02/16/2008
The current time is: 11:14:41.26


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Hijack to follow

Steve

#12 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 16 February 2008 - 02:20 PM

And the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:05 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\INFECTION PREVENTION\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livinghopeoakdale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189661198875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189661096203
O20 - AppInit_DLLs:
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe (file missing)
O23 - Service: Biometric Authentication Service (DpHost) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DpHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5277 bytes


Thanks,
Steve

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 16 February 2008 - 02:28 PM

Good....AWF is gone. You did great! :thumbsup: How is it running?

You need to get an AntiVirus on it now. Do you have one in mind? AVG, Avira OR Avast are good FREE antivirus.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 sjuanie

sjuanie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 16 February 2008 - 02:34 PM

It runs great, thank you so much. I use AVG, but there concern was these programs bogging down the computer and making the ShoutMedia program run slow. But, at what risk I say, so I will recommend the three you mentioned and leavit it up to them, I will bring the installation files on my thumb drive. One last question, I was using my thumb drive to install programs on there computer, I assume it can get infected as well? And if so, do you have a recommendation on what I should do about it?

Thanks again, you are a blessing.

Steve

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:25 AM

Posted 16 February 2008 - 02:45 PM

You can delete FindAWF. :blink:

Did you also uninstall SpywareDoctor? Let's get rid of the leftovers then :

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe (file missing)
O23 - Service: Biometric Authentication Service (DpHost) - Unknown owner - C:\Program Files\DigitalPersona\Bin\DpHost.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Delete the following folders, if present:

C:\Program Files\Spyware Doctor
C:\PROGRA~1\Grisoft

Reboot the computer.

Now my system have VERY limited resources, and I run Avast! and Comodo firewall ( http://comodo.com ) just fine, so I don't think there would be a huge problem. :thumbsup:

You're most welcome, and have a great one!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users