Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Email Proxy Popup Windows


  • Please log in to reply
23 replies to this topic

#1 bdubbs

bdubbs

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 16 February 2008 - 06:50 AM

Hello,

My name is Brad and my computer has been infected. I constantly get Symantec Email Proxy Popup windows as soon as my computer loads to the desktop. I have a cable ISP, and do not have any email programs linked to Symantec. I'm not sure how this happened. I have run AdAware 2007, Spybot S&D, Panda scan, and Symnatec Antivirus to try and fix the problem. I have been able to remove some of the malicious programs, but they seem to regenerate each time I reboot my computer. I have all the current updates for Windows XP. I would appreciate any help you can provide!!

Thanks,
Brad

----------------------------
Here is my first HJT log
----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:18 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: iWin Desktop Alerts.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49/dinerdash/dinerdash.cab
O21 - SSODL: WinMain - {C231CF11-134F-3552-44AC-E685D962C63C} - blank (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5689 bytes

BC AdBot (Login to Remove)

 


m

#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 22 February 2008 - 12:17 AM

Hello bdubbs and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 22 February 2008 - 12:54 PM

Hey Johannes,

I have followed all the steps for preparation. Here is my newest HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:29 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: iWin Desktop Alerts.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49/dinerdash/dinerdash.cab
O21 - SSODL: WinMain - {C231CF11-134F-3552-44AC-E685D962C63C} - blank (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5761 bytes

Thank you for all your help!

Brad

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 23 February 2008 - 02:41 AM

Hey Brad,

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click "Continue".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Step #3

Run HijackThis, press Scan, and put a check mark next to all these entries:

O21 - SSODL: WinMain - {C231CF11-134F-3552-44AC-E685D962C63C} - blank (file missing)

Close all other windows and browsers, and press the Fix Checked button.

Step #4

We need to have a deeper look into the system. Therefore:

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #5

Please post back with the main.txt and the extra.txt from the DSS scan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 23 February 2008 - 01:35 PM

Hey,

I removed Viewpoint as requested. I have tried downloading Java from the Sun Web site. The site was down due to scheduled maintenance for like 4 hours. The link to the Java I need now says "Product Not Found". Is there another secure site where I can download the Java I need?

Thanks,
Brad

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 23 February 2008 - 01:42 PM

Hi Brad,

try this one: http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 23 February 2008 - 02:32 PM

Hey Johannes,

Thanks again for your help with my system. Here are the log files:



Deckard's System Scanner v20071014.68
Run by Brad on 2008-02-23 14:23:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 382.42 MiB / 189 MiB
Pagefile Memory (total/avail): 919.66 MiB / 637.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.33 GiB total, 57.94 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.33 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus Corporate Edition v10.1.0.401 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Brad\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=B-RAD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Brad
LOGONSERVER=\\B-RAD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Brad\LOCALS~1\Temp
TMP=C:\DOCUME~1\Brad\LOCALS~1\Temp
USERDOMAIN=B-RAD
USERNAME=Brad
USERPROFILE=C:\Documents and Settings\Brad
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Brad (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Azureus --> C:\Program Files\Azureus\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Diner Dash - Hometown Hero --> C:\Program Files\Diner Dash - Hometown Hero\Uninstal.exe
Doom 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{584267B8-0BB0-4D18-9FFA-726576619E9A} /l1033 /x
DVD X Copy GOLD v3.0.1 (remove only) --> C:\Program Files\321Studios\DVDXCopy GOLD\Uninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
K-Lite Mega Codec Pack 1.53 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.12) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PokerStars.net --> "C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Registry Mechanic 5.2 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Symantec AntiVirus --> MsiExec.exe /I{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1060 / Error
Event Submitted/Written: 02/16/2008 05:59:05 AM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Event Info: Resume Thread
Action Taken: Blocked
Actor Process: C:\Program Files\Internet Explorer\iexplore.exe (PID 2156)
Time: Saturday, February 16, 2008 5:59:05 AM

Event Record #/Type1059 / Error
Event Submitted/Written: 02/16/2008 05:59:05 AM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Event Info: Resume Thread
Action Taken: Blocked
Actor Process: C:\Program Files\Internet Explorer\iexplore.exe (PID 2156)
Time: Saturday, February 16, 2008 5:59:05 AM

Event Record #/Type1058 / Error
Event Submitted/Written: 02/16/2008 05:59:05 AM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: C:\Program Files\Internet Explorer\iexplore.exe (PID 2156)
Time: Saturday, February 16, 2008 5:59:05 AM

Event Record #/Type1057 / Error
Event Submitted/Written: 02/16/2008 05:59:05 AM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: C:\Program Files\Internet Explorer\iexplore.exe (PID 2156)
Time: Saturday, February 16, 2008 5:59:05 AM

Event Record #/Type1056 / Error
Event Submitted/Written: 02/16/2008 05:59:05 AM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: C:\Program Files\Internet Explorer\iexplore.exe (PID 2156)
Time: Saturday, February 16, 2008 5:59:05 AM



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1710 / Error
Event Submitted/Written: 02/23/2008 02:24:32 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The GEARSecurity service has reported an invalid current state 0.

Event Record #/Type1709 / Warning
Event Submitted/Written: 02/23/2008 02:19:03 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1687 / Warning
Event Submitted/Written: 02/23/2008 02:13:52 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1684 / Warning
Event Submitted/Written: 02/23/2008 01:46:34 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1683 / Warning
Event Submitted/Written: 02/23/2008 01:32:52 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-02-23 14:25:02 ------------




-- Last 5 Restore Point(s) --
55: 2008-02-23 19:23:58 UTC - RP55 - Deckard's System Scanner Restore Point
54: 2008-02-23 19:19:23 UTC - RP54 - Installed Java™ 6 Update 4
53: 2008-02-23 19:14:46 UTC - RP53 - Removed MostFun - Diner Dash
52: 2008-02-23 19:13:49 UTC - RP52 - Removed J2SE Runtime Environment 5.0 Update 8
51: 2008-02-23 01:20:07 UTC - RP51 - System Checkpoint


-- First Restore Point --
1: 2008-01-13 21:23:33 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Brad.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:21 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Brad\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Brad.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49/dinerdash/dinerdash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5752 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080223-142238-682 O21 - SSODL: WinMain - {C231CF11-134F-3552-44AC-E685D962C63C} - blank (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity - system32\gearsec.exe <Not Verified; GEAR Software; gearsec>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-23 14:19:37 0 d-------- C:\Program Files\Java
2008-02-23 14:19:31 0 d-------- C:\Program Files\Common Files\Java
2008-02-19 14:01:15 0 d-------- C:\Documents and Settings\Brad\Application Data\LimeWire
2008-02-18 15:05:44 0 d-------- C:\Program Files\Diner Dash - Hometown Hero
2008-02-16 06:28:36 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-16 05:50:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 04:22:04 0 d-------- C:\Program Files\Lavasoft
2008-02-16 04:22:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 04:21:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 03:46:46 0 dr-h----- C:\Documents and Settings\Brad\Recent
2008-02-16 03:42:21 0 d-------- C:\Program Files\CCleaner
2008-02-16 03:24:43 0 d-------- C:\Program Files\Trend Micro
2008-02-16 00:40:31 0 d-------- C:\Program Files\ReflexiveArcade
2008-02-14 13:52:25 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-02-13 05:05:21 0 d-------- C:\WINDOWS\system32\appmgmt
2008-02-12 16:32:23 0 d-------- C:\VundoFix Backups
2008-02-12 13:17:40 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-12 13:17:40 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-12 13:17:40 1 --a------ C:\WINDOWS\system32\cs.dat
2008-02-12 13:17:39 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-12 13:17:16 54762 --a------ C:\WINDOWS\system32\jkghje.dll
2008-02-12 13:17:14 6638 --a------ C:\WINDOWS\system32\conf.dat
2008-02-12 12:50:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 12:49:24 0 d-------- C:\Program Files\iWin.com
2008-02-12 12:49:11 0 d-------- C:\Documents and Settings\Brad\Application Data\iWinArcade
2008-02-12 12:48:55 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-02-08 02:12:49 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-04 23:15:52 0 d-------- C:\Documents and Settings\Brad\Application Data\PlayFirst
2008-02-04 23:14:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 23:14:08 0 d-------- C:\Program Files\MostFun
2008-02-04 21:39:12 0 d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-02-02 15:09:07 0 d-------- C:\Program Files\MTV Virtual World


-- Find3M Report ---------------------------------------------------------------

2008-02-23 14:19:31 0 d-------- C:\Program Files\Common Files
2008-02-23 14:18:26 0 d-------- C:\Program Files\Symantec AntiVirus
2008-02-23 08:39:37 0 d-------- C:\Documents and Settings\Brad\Application Data\Azureus
2008-02-19 14:01:09 0 d-------- C:\Program Files\LimeWire
2008-02-16 06:12:58 0 d-------- C:\Program Files\Messenger
2008-02-16 06:06:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-16 04:21:17 0 d-------- C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-02-14 13:52:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-04 23:15:52 0 d-------- C:\Documents and Settings\Brad\Application Data\Macromedia
2008-01-16 00:00:00 0 d-------- C:\Program Files\PokerStars.NET
2008-01-14 23:25:24 0 d-------- C:\Documents and Settings\Brad\Application Data\Adobe
2008-01-14 03:31:10 0 d-------- C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-01-14 03:13:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-14 01:49:46 0 d-------- C:\Documents and Settings\Brad\Application Data\acccore
2008-01-14 01:48:37 34676 --a------ C:\WINDOWS\DIIUnin.dat
2008-01-14 01:48:36 0 d-------- C:\Program Files\Diablo II
2008-01-14 01:42:21 0 d-------- C:\Program Files\Azureus
2008-01-14 01:27:56 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-01-14 01:27:56 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-01-14 01:07:45 0 d-------- C:\Program Files\Doom 3
2008-01-14 00:56:44 0 d-------- C:\Documents and Settings\Brad\Application Data\Sun
2008-01-14 00:39:07 0 d-------- C:\Program Files\AIM6
2008-01-14 00:38:40 0 d-------- C:\Program Files\Common Files\AOL
2008-01-14 00:33:47 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-14 00:28:00 0 d-------- C:\Program Files\Symantec
2008-01-14 00:21:53 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-14 00:18:24 0 d-------- C:\Program Files\Microsoft.NET
2008-01-14 00:14:04 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-01-14 00:14:00 0 d-------- C:\Documents and Settings\Brad\Application Data\Real
2008-01-14 00:13:54 0 d-a------ C:\Program Files\(IE7_Standalone)
2008-01-14 00:02:53 0 d-------- C:\Program Files\WPIclose
2008-01-13 23:49:46 1167 --a------ C:\WINDOWS\mozver.dat
2008-01-13 23:25:39 0 d-------- C:\Program Files\Realtek Sound Manager
2008-01-13 23:25:39 0 d-------- C:\Program Files\AvRack
2008-01-13 23:25:37 0 d-------- C:\Program Files\Realtek AC97
2008-01-13 22:56:05 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-13 18:37:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-13 18:37:49 0 d-------- C:\Documents and Settings\Brad\Application Data\Mozilla
2008-01-13 18:28:09 0 d-------- C:\Program Files\Magic
2008-01-13 18:16:44 0 d-------- C:\Program Files\Emulator
2008-01-13 17:51:46 0 d-------- C:\Program Files\321Studios
2008-01-13 17:32:05 0 d-------- C:\Program Files\Movie Maker
2008-01-13 17:30:16 0 d-------- C:\Program Files\Windows NT
2008-01-13 16:23:24 0 d-------- C:\Documents and Settings\Brad\Application Data\Identities
2008-01-13 16:18:17 0 d--h----- C:\Program Files\WindowsUpdate
2008-01-13 16:11:06 0 d-------- C:\Program Files\microsoft frontpage
2008-01-13 16:10:45 0 -rahs---- C:\MSDOS.SYS
2008-01-13 16:10:45 0 -rahs---- C:\IO.SYS
2008-01-13 16:10:45 0 --a------ C:\CONFIG.SYS
2008-01-13 16:10:45 0 --a------ C:\AUTOEXEC.BAT
2008-01-13 16:09:46 0 d-------- C:\Program Files\Online Services
2008-01-13 16:08:44 0 d-------- C:\Program Files\Common Files\MSSoap
2008-01-13 16:08:21 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-13 16:07:44 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-13 15:51:34 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-13 15:51:32 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-01-13 15:51:15 62 --ahs---- C:\Documents and Settings\Brad\Application Data\desktop.ini
2007-12-05 01:41:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-12-05 01:41:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:41:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 01:41:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-12-05 01:41:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-12-05 01:41:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 01:41:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-12-05 01:41:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [10/24/2005 01:45 AM C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2006 07:00 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [10/01/2006 07:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 12:56 AM]
"Aim6"="" []

C:\Documents and Settings\Brad\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-02-23 14:25:02 ------------

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 23 February 2008 - 02:57 PM

Hey Brad,

just as a side note. Your logs show that you have below 512 MB Ram. This makes your machine very slow when running a Windows Operating System (usually needs around 512 itself to run). Might want to consider buying some additional / upgrading your Ram.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus, LimeWire 4.16.6). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #1

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:If you do decide to install a third party firewall, make sure that the windows firewall is not running and if it is, deactivate it. A tutorial on how to do it, can be found here.

Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #3

Please post the ComboFix log thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 23 February 2008 - 03:35 PM

Hey Johannes,

Here is the Combo Fix log as requested:

ComboFix 08-02-24 - Brad 2008-02-23 15:28:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.152 [GMT -5:00]
Running from: C:\Documents and Settings\Brad\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 15:05 . 2008-02-23 15:05 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-02-23 14:23 . 2008-02-23 14:23 <DIR> d-------- C:\Deckard
2008-02-23 14:20 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-23 14:19 . 2008-02-23 14:20 <DIR> d-------- C:\Program Files\Java
2008-02-23 14:19 . 2008-02-23 14:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 14:01 . 2008-02-23 00:33 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\LimeWire
2008-02-18 15:05 . 2008-02-18 15:05 <DIR> d-------- C:\Program Files\Diner Dash - Hometown Hero
2008-02-16 06:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 05:50 . 2008-02-16 06:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 05:50 . 2008-02-16 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 05:50 . 2008-02-16 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 05:50 . 2008-02-16 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 04:21 . 2008-02-16 04:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 03:42 . 2008-02-16 03:42 <DIR> d-------- C:\Program Files\CCleaner
2008-02-16 03:24 . 2008-02-16 03:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 00:40 . 2008-02-16 00:40 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-14 13:52 . 2008-02-16 03:36 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-12 16:32 . 2008-02-12 16:32 <DIR> d-------- C:\VundoFix Backups
2008-02-12 13:17 . 2008-02-12 13:17 54,762 --a------ C:\WINDOWS\system32\jkghje.dll
2008-02-12 13:17 . 2008-02-12 13:17 10,752 --a------ C:\WINDOWS\system32\WORSOCK.0LL
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\cs.dat
2008-02-12 12:50 . 2008-02-15 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 12:49 . 2008-02-23 14:15 <DIR> d-------- C:\Program Files\iWin.com
2008-02-12 12:49 . 2008-02-12 12:49 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\iWinArcade
2008-02-12 12:48 . 2008-02-12 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-02-08 02:12 . 2008-02-18 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-04 23:15 . 2008-02-18 15:06 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\PlayFirst
2008-02-04 23:14 . 2008-02-08 02:12 <DIR> d-------- C:\Program Files\MostFun
2008-02-04 23:14 . 2008-02-04 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 21:39 . 2008-02-04 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-02-02 15:09 . 2008-02-12 15:37 <DIR> d-------- C:\Program Files\MTV Virtual World

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 20:28 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-23 13:39 --------- d-----w C:\Documents and Settings\Brad\Application Data\Azureus
2008-02-23 09:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 19:01 --------- d-----w C:\Program Files\LimeWire
2008-02-16 11:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 11:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-16 09:21 --------- d-----w C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-02-16 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 18:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 05:00 --------- d-----w C:\Program Files\PokerStars.NET
2008-01-14 08:31 --------- d-----w C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-01-14 08:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 06:49 --------- d-----w C:\Documents and Settings\Brad\Application Data\acccore
2008-01-14 06:48 --------- d-----w C:\Program Files\Diablo II
2008-01-14 06:42 --------- d-----w C:\Program Files\Azureus
2008-01-14 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-14 06:27 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-01-14 06:07 --------- d-----w C:\Program Files\Doom 3
2008-01-14 05:55 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-01-14 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-14 05:39 --------- d-----w C:\Program Files\AIM6
2008-01-14 05:38 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-14 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-14 05:33 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-14 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-14 05:28 --------- d-----w C:\Program Files\Symantec
2008-01-14 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-14 05:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-14 05:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-14 05:14 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-14 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-14 05:13 --------- d---a-w C:\Program Files\(IE7_Standalone)
2008-01-14 05:02 --------- d-----w C:\Program Files\WPIclose
2008-01-14 04:25 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-01-14 04:25 --------- d-----w C:\Program Files\Realtek AC97
2008-01-14 04:25 --------- d-----w C:\Program Files\AvRack
2008-01-14 03:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 23:28 --------- d-----w C:\Program Files\Magic
2008-01-13 23:16 --------- d-----w C:\Program Files\Emulator
2008-01-13 22:51 31,680 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-01-13 22:51 --------- d-----w C:\Program Files\321Studios
2008-01-13 21:11 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 01:45 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-01 07:00 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-10-01 07:00 124656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]

*Newly Created Service* - FWDRV
*Newly Created Service* - KHIPS
*Newly Created Service* - SPF4
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 15:31:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 15:33:23
ComboFix-quarantined-files.txt 2008-02-24 20:33:17

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 23 February 2008 - 04:09 PM

Hey Brad,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\system32\jkghje.dll
    
    Folder::
    C:\VundoFix Backups
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Download rustbfix from here and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.

Step #3

Please post back with a fresh ComboFix log and the C\avenger.txt & C\rustbfix\pelog.txt. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 23 February 2008 - 05:04 PM

Hey,

I ran the rustbfix, and nothing was found so I only have one log. I am sorry to inundate you with all these logs. Your help is greatly appreciated!


ComboFix 08-02-24 - Brad 2008-02-24 16:46:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.78 [GMT -5:00]
Running from: C:\Documents and Settings\Brad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\jkghje.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\jkghje.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 15:05 . 2008-02-23 15:05 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-02-23 14:23 . 2008-02-23 14:23 <DIR> d-------- C:\Deckard
2008-02-23 14:20 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-23 14:19 . 2008-02-23 14:20 <DIR> d-------- C:\Program Files\Java
2008-02-23 14:19 . 2008-02-23 14:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 14:01 . 2008-02-23 00:33 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\LimeWire
2008-02-18 15:05 . 2008-02-18 15:05 <DIR> d-------- C:\Program Files\Diner Dash - Hometown Hero
2008-02-16 06:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 05:50 . 2008-02-16 06:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 05:50 . 2008-02-16 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 05:50 . 2008-02-16 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 05:50 . 2008-02-16 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 04:21 . 2008-02-16 04:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 03:42 . 2008-02-16 03:42 <DIR> d-------- C:\Program Files\CCleaner
2008-02-16 03:24 . 2008-02-16 03:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 00:40 . 2008-02-16 00:40 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-14 13:52 . 2008-02-16 03:36 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-12 13:17 . 2008-02-12 13:17 10,752 --a------ C:\WINDOWS\system32\WORSOCK.0LL
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\cs.dat
2008-02-12 12:50 . 2008-02-15 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 12:49 . 2008-02-23 14:15 <DIR> d-------- C:\Program Files\iWin.com
2008-02-12 12:49 . 2008-02-12 12:49 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\iWinArcade
2008-02-12 12:48 . 2008-02-12 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-02-08 02:12 . 2008-02-18 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-04 23:15 . 2008-02-18 15:06 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\PlayFirst
2008-02-04 23:14 . 2008-02-08 02:12 <DIR> d-------- C:\Program Files\MostFun
2008-02-04 23:14 . 2008-02-04 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 21:39 . 2008-02-04 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-02-02 15:09 . 2008-02-12 15:37 <DIR> d-------- C:\Program Files\MTV Virtual World

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 21:08 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-23 13:39 --------- d-----w C:\Documents and Settings\Brad\Application Data\Azureus
2008-02-23 09:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 19:01 --------- d-----w C:\Program Files\LimeWire
2008-02-16 11:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 11:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-16 09:21 --------- d-----w C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-02-16 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 18:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 05:00 --------- d-----w C:\Program Files\PokerStars.NET
2008-01-14 08:31 --------- d-----w C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-01-14 08:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 06:49 --------- d-----w C:\Documents and Settings\Brad\Application Data\acccore
2008-01-14 06:48 --------- d-----w C:\Program Files\Diablo II
2008-01-14 06:42 --------- d-----w C:\Program Files\Azureus
2008-01-14 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-14 06:27 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-01-14 06:07 --------- d-----w C:\Program Files\Doom 3
2008-01-14 05:55 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-01-14 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-14 05:39 --------- d-----w C:\Program Files\AIM6
2008-01-14 05:38 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-14 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-14 05:33 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-14 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-14 05:28 --------- d-----w C:\Program Files\Symantec
2008-01-14 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-14 05:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-14 05:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-14 05:14 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-14 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-14 05:13 --------- d---a-w C:\Program Files\(IE7_Standalone)
2008-01-14 05:02 --------- d-----w C:\Program Files\WPIclose
2008-01-14 04:25 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-01-14 04:25 --------- d-----w C:\Program Files\Realtek AC97
2008-01-14 04:25 --------- d-----w C:\Program Files\AvRack
2008-01-14 03:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 23:28 --------- d-----w C:\Program Files\Magic
2008-01-13 23:16 --------- d-----w C:\Program Files\Emulator
2008-01-13 22:51 31,680 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-01-13 22:51 --------- d-----w C:\Program Files\321Studios
2008-01-13 21:11 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C03FD59D-9104-44B7-929A-9EAA0BA05211}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 01:45 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-01 07:00 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-10-01 07:00 124656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S1 wer32;wer32;C:\WINDOWS\system32\jkghje.dll []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 16:52:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
.
**************************************************************************
.
Completion time: 2008-02-24 16:56:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-24 21:56:08
ComboFix2.txt 2008-02-24 20:33:25


************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Sun 02/24/2008 17:00:12.34

No Rustock.b-rootkits found

******************************* End of Logfile ********************************



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:29 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49/dinerdash/dinerdash.cab
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6310 bytes

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 24 February 2008 - 03:04 AM

Hey Brad,

I ran the rustbfix, and nothing was found so I only have one log. I am sorry to inundate you with all these logs. Your help is greatly appreciated!

Thats just fine. I just wanted to see if rustbfix would find any left overs. And you dont need to worry about posting all these logs to me, as I have asked for them :blink:. If you post "too much" information that wouldnt be required, I would let you know :thumbsup: .

Your logs show that you have (a) online poker programme(s) installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs, search for the poker game and remove it.

If you are unsure of anything, please dont hesitate to ask.

Step #1

Please copy and paste the following text into Notepad:

sc stop wer32
sc delete wer32
del services.bat

Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat. Soon it should disappear from your Desktop; this is fine.

Step #2

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Please post back with the Kaspersky onlinescan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 24 February 2008 - 01:04 PM

Hey Johannes,

I have used this online poker program for a couple years. I have never had problems with Adware/Spyware generation with this program. Here is the Kapersky scan as requested:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 1:03:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/02/2008
Kaspersky Anti-Virus database records: 578530
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51229
Number of viruses found: 10
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 00:36:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09680000.VBN Infected: Trojan-PSW.Win32.Delf.aox skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09680001\4FFEA673.VBN Infected: Trojan-PSW.Win32.Delf.aox skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09E80001\4FFB2C0E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09E80002\4FFB3A1D.VBN Infected: Trojan-Downloader.Win32.Small.ieg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A700000\4FF27A31.VBN Infected: Trojan-Downloader.Win32.Small.ieg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00002\4FF1E2A9.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00003\4FF1E2B4.VBN Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00004\4FF1E2BB.VBN Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00005\4FF1E2C2.VBN Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00006\4FF1E2D2.VBN Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\cert8.db Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\history.dat Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\key3.db Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\parent.lock Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Brad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\AOL OCP\AIM\Storage\data\coltbeer4lunch\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1pkmss.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0311NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0932NAV~.TMP Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-24_165140.82.zip/jkghje.dll Infected: Trojan.Win32.Agent.fgw skipped
C:\QooBox\Quarantine\catchme2008-02-24_165140.82.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-682003330-1284227242-725345543-1003\Dc2.exe/data0000.bin/data0007 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\RECYCLER\S-1-5-21-682003330-1284227242-725345543-1003\Dc2.exe/data0000.bin Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\RECYCLER\S-1-5-21-682003330-1284227242-725345543-1003\Dc2.exe EmbeddedEXE: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7AECEAD3-038B-49BD-AA35-0F098737C400}\RP44\A0022535.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\System Volume Information\_restore{7AECEAD3-038B-49BD-AA35-0F098737C400}\RP45\A0023570.dll Infected: Trojan-PSW.Win32.Agent.yt skipped
C:\System Volume Information\_restore{7AECEAD3-038B-49BD-AA35-0F098737C400}\RP53\A0024844.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\System Volume Information\_restore{7AECEAD3-038B-49BD-AA35-0F098737C400}\RP58\change.log Object is locked skipped
C:\System Volume Information\_restore{7AECEAD3-038B-49BD-AA35-0F098737C400}\RP6\A0004631.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WORSOCK.0LL Infected: Trojan-PSW.Win32.Agent.yt skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks,
Brad

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:11 PM

Posted 24 February 2008 - 02:26 PM

Hey Brad,

I have used this online poker program for a couple years. I have never had problems with Adware/Spyware generation with this program.

Thats just fine. The above mentioned in regards to poker games is just an observation and note for you :thumbsup: .

Step #1

Please navigate to and delete the entire contents of the following folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

Step #2
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\system32\WORSOCK.0LL
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #3

Please post back with the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 bdubbs

bdubbs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 25 February 2008 - 01:29 AM

Hey Johannes,

Here is the new Combo Fix log:

ComboFix 08-02-24 - Brad 2008-02-26 1:22:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00]
Running from: C:\Documents and Settings\Brad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\WORSOCK.0LL
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\WORSOCK.0LL

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 12:09 . 2008-02-25 12:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-25 12:09 . 2008-02-25 12:09 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-25 12:09 . 2008-02-25 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-24 16:59 . 2008-02-24 17:00 <DIR> d-------- C:\Rustbfix
2008-02-23 15:05 . 2008-02-23 15:05 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-02-23 14:23 . 2008-02-23 14:23 <DIR> d-------- C:\Deckard
2008-02-23 14:20 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-23 14:19 . 2008-02-23 14:20 <DIR> d-------- C:\Program Files\Java
2008-02-23 14:19 . 2008-02-23 14:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 14:01 . 2008-02-23 00:33 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\LimeWire
2008-02-18 15:05 . 2008-02-25 00:00 <DIR> d-------- C:\Program Files\Diner Dash - Hometown Hero
2008-02-16 06:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 05:50 . 2008-02-16 06:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 05:50 . 2008-02-16 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 05:50 . 2008-02-16 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 05:50 . 2008-02-16 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 04:21 . 2008-02-16 04:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 03:42 . 2008-02-16 03:42 <DIR> d-------- C:\Program Files\CCleaner
2008-02-16 03:24 . 2008-02-16 03:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 00:40 . 2008-02-16 00:40 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-14 13:52 . 2008-02-16 03:36 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-12 13:17 . 2008-02-12 13:17 1 --a------ C:\WINDOWS\system32\cs.dat
2008-02-12 12:50 . 2008-02-15 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 12:49 . 2008-02-23 14:15 <DIR> d-------- C:\Program Files\iWin.com
2008-02-12 12:49 . 2008-02-12 12:49 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\iWinArcade
2008-02-12 12:48 . 2008-02-12 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-02-08 02:12 . 2008-02-18 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-04 23:15 . 2008-02-18 15:06 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\PlayFirst
2008-02-04 23:14 . 2008-02-08 02:12 <DIR> d-------- C:\Program Files\MostFun
2008-02-04 23:14 . 2008-02-04 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 21:39 . 2008-02-04 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-02-02 15:09 . 2008-02-12 15:37 <DIR> d-------- C:\Program Files\MTV Virtual World

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 17:02 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-25 05:00 --------- d-----w C:\Program Files\LimeWire
2008-02-23 13:39 --------- d-----w C:\Documents and Settings\Brad\Application Data\Azureus
2008-02-23 09:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-16 11:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 11:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-16 09:21 --------- d-----w C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-02-16 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 18:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 05:00 --------- d-----w C:\Program Files\PokerStars.NET
2008-01-14 08:31 --------- d-----w C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-01-14 08:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 06:49 --------- d-----w C:\Documents and Settings\Brad\Application Data\acccore
2008-01-14 06:48 --------- d-----w C:\Program Files\Diablo II
2008-01-14 06:42 --------- d-----w C:\Program Files\Azureus
2008-01-14 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-14 06:27 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-01-14 06:07 --------- d-----w C:\Program Files\Doom 3
2008-01-14 05:55 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-01-14 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-14 05:39 --------- d-----w C:\Program Files\AIM6
2008-01-14 05:38 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-14 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-14 05:33 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-14 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-14 05:28 --------- d-----w C:\Program Files\Symantec
2008-01-14 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-14 05:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-14 05:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-14 05:14 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-14 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-14 05:13 --------- d---a-w C:\Program Files\(IE7_Standalone)
2008-01-14 05:02 --------- d-----w C:\Program Files\WPIclose
2008-01-14 04:25 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-01-14 04:25 --------- d-----w C:\Program Files\Realtek AC97
2008-01-14 04:25 --------- d-----w C:\Program Files\AvRack
2008-01-14 03:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 23:28 --------- d-----w C:\Program Files\Magic
2008-01-13 23:16 --------- d-----w C:\Program Files\Emulator
2008-01-13 22:51 31,680 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-01-13 22:51 --------- d-----w C:\Program Files\321Studios
2008-01-13 21:11 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 01:45 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-01 07:00 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-10-01 07:00 124656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 01:25:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 1:26:57
ComboFix-quarantined-files.txt 2008-02-26 06:26:51
ComboFix2.txt 2008-02-24 21:56:20
ComboFix3.txt 2008-02-24 20:33:25

Thanks,
Brad




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users