Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internetspeedmonitor And Qdr Pack


  • Please log in to reply
7 replies to this topic

#1 fazz

fazz

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 17 February 2008 - 12:53 AM

Hey so I just made this long post about my tpoic then realized I had an old HJT. Soo to sum up - I had internet speed monitor with qdr files and unwanted popups. I uninstalled Internet Speed Monitor, the qdr files seem to be missing from HJT log and so far seems like no popups. The HJT log still looks like it is a little messy - can someone please help me clean it up? Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:15 AM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\utilman.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\PeerGuardian_1.99pr7\pg2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack this\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.226.167.221:8080
O2 - BHO: (no name) - {7a1204bc-369e-413a-b882-b923b1417312} - C:\WINDOWS\system32\cscxts.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpybotDeletingA1044] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7723] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9310] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1988] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149093394186
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: c:\windows\system32\awtssqr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cscxts - cscxts.dll (file missing)
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8700 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 26 February 2008 - 10:41 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments or inside code boxes,thanks.
Posted Image
Posted Image

#3 fazz

fazz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 06 March 2008 - 10:04 PM

Hey guys, yea i am still having some weird things happen - AVG gave me some warnings too. Please check my logfile soon. Thank you - I appreciate it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:49 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack this\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.226.167.221:8080
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149093394186
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: c:\windows\system32\awtssqr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7844 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 07 March 2008 - 07:34 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 5'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language - jre-6u5-windows-i586-p.exe' [15.18 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop


Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 fazz

fazz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 07 March 2008 - 12:20 PM

Thanks for your help - here are the requested files

ComboFix 08-03-07.1 - Owner 2008-03-07 11:47:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.251 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - explorer.exe: deleted 522023 bytes in 5 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1169504962.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\Temp\isgTi19
C:\Temp\sanR24
C:\WINDOWS\cookies.ini
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqoljhg.dll
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\xxyvuuv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_WINDEV-4B9A-1F6C
-------\windev-4b9a-1f6c


((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 11:45 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-07 11:44 . 2008-03-07 11:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-06 21:18 . 2008-03-06 23:23 319 --ahs---- C:\WINDOWS\SYSTEM32\ihkmp.ini
2008-03-05 03:16 . 2008-03-05 03:16 597 --a------ C:\WINDOWS\SYSTEM32\tversity.cookies
2008-02-17 00:40 . 2008-02-17 00:40 94 --a------ C:\WINDOWS\wininit.ini
2008-02-17 00:20 . 2008-02-17 00:20 400 --a------ C:\WINDOWS\SYSTEM32\L2649.tmp
2008-02-17 00:19 . 2008-02-17 00:20 270,698 --a------ C:\WINDOWS\SYSTEM32\LF8F0.tmp
2008-02-15 20:38 . 2008-02-15 21:28 <DIR> d-------- C:\Program Files\CeRegEditor
2008-02-15 17:39 . 2008-02-15 17:39 <DIR> d-------- C:\Program Files\SAMSUNG
2008-02-15 17:39 . 2006-04-20 14:34 100,304 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdmdm.sys
2008-02-15 17:39 . 2006-04-20 14:35 79,216 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdserd.sys
2008-02-15 17:39 . 2006-04-20 14:33 66,672 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdbus.sys
2008-02-15 17:39 . 2006-04-20 14:34 9,328 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdmdfl.sys
2008-02-15 17:39 . 2006-04-20 14:34 6,240 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdcmnt.sys
2008-02-15 17:39 . 2006-04-20 14:34 6,240 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdcm.sys
2008-02-15 17:39 . 2006-04-20 14:33 5,904 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdwhnt.sys
2008-02-15 17:39 . 2006-04-20 14:33 5,904 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdwh.sys
2008-02-13 23:07 . 2008-02-13 23:07 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-09 11:31 . 2008-03-07 01:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-09 11:31 . 2008-02-09 11:31 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 16:44 --------- d-----w C:\Program Files\Java
2008-03-07 13:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 08:19 --------- d--h--w C:\Program Files\ArcSoft
2008-03-05 07:05 --------- d-----w C:\Program Files\PeerGuardian_1.99pr7
2008-03-04 07:04 --------- dc----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-22 13:35 --------- dc----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-17 05:46 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 23:34 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-05 16:34 1,032,192 ----a-w C:\WINDOWS\explorer.exe
2008-01-10 04:39 --------- d-----w C:\Program Files\LiveUpdate
2008-01-10 04:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 09:10 --------- d-----w C:\Program Files\mIRC
2008-01-07 03:52 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-02-09 06:01 3,656 ----a-w C:\Program Files\Read_Me.txt
2007-01-21 22:20 45,619 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_01_20_13_58_59_small.dmp.zip
2007-01-21 04:22 1,782 ----a-w C:\Program Files\illusion.reg
2006-07-25 21:18 0 -c--a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2005-10-23 00:30 50,096 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-09-14 16:00 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys
2004-09-04 16:38 62 -c--a-w C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
2004-09-02 21:46 215,462 -c--a-w C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
2004-08-20 01:22 212,776 -c--a-w C:\Documents and Settings\Sunnam\Application Data\tvmknwrd.dll
2004-05-13 01:10 36 -c--a-w C:\Documents and Settings\Owner\klextlock.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 6,894 2007-10-15 05:42:38 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml
----a-w 6,512 2008-02-08 07:07:36 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Elite.home.xml

----a-w 6,894 2007-10-15 05:45:20 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml.recent

----a-w 16,523 2007-05-22 00:48:38 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml
-c--a-w 16,886 2007-05-22 22:18:14 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Facade Wide.home.xml

----a-w 16,523 2007-05-22 08:18:10 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml.recent

----a-w 9,991 2007-05-22 07:49:16 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml

----a-w 9,991 2007-05-22 07:52:52 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml.recent

----a-w 61,440 2001-07-06 22:56:56 C:\hp\KBD\bak\KBD.EXE

----a-w 151,597 2003-08-29 22:48:31 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 369,664 2006-08-07 13:13:53 C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe
----a-w 579,072 2007-12-21 14:11:59 C:\Program Files\Grisoft\AVG Free\avgcc.exe

----a-w 36,975 2006-05-03 06:56:56 C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe

----a-w 282,624 2006-07-16 00:38:33 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 693,528 2003-12-15 19:57:12 C:\Program Files\Zone Labs\ZoneAlarmPro 4\bak\zlclient.exe

----a-w 212,992 2001-06-15 23:34:56 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-07 17:04:38 C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 90,112 2001-08-08 00:36:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

----a-w 143,360 2001-08-08 01:25:48 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

----a-w 155,648 2001-07-09 06:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe

----a-w 81,920 2001-07-03 22:13:56 C:\WINDOWS\SYSTEM32\bak\ps2.exe

----a-w 102,400 2001-07-03 22:14:08 C:\WINDOWS\SYSTEM32\bak\usb.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 03:15 68856]
"Aim6"="" []
"SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:11 579072]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"SecureClean4RegManager"="C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe" [2003-10-14 11:13 1266176]
"SecureClean4Tray"="C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe" [2003-10-13 10:58 1570304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:12 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscxts]
cscxts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiiigec]
iiiigec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]
winjrs32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\awtssqr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamWizard]
C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a--c--- 2003-10-02 01:20 81920 C:\Program Files\Daemon Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
C:\PROGRA~1\AIM\\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESPN360]
C:\Program Files\ESPN360\bin\espn360.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a--c--- 2003-12-09 23:19 278528 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-22 23:13 1591808 C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2006-05-11 20:42 3284992 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 15:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2006-12-21 21:54 257272 C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGtray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-08-29 09:45 208941 C:\Program Files\Real\RealOne Player\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a--c--- 2005-01-25 15:31 1159168 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-01-10 15:14 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp3\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2003-12-05 11:51 1490944 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
--a--c--- 2001-10-15 14:04 127030 C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Stuff\\SopCast_062\\SopCast\\SopCast.exe"=
"%windir%\\explorer.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 02:16]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 13:37]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS [2002-08-04 16:47]
S3 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 13:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83e40808-7997-11db-80a0-00e0185b86e3}]
\Shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 14:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 16:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 17:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 19:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 21:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 22:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 00:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 01:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 03:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 05:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 06:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 07:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 08:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 09:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 10:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 11:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 12:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 13:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 14:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 15:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 16:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 17:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 18:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 19:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-06 20:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 21:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 22:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-06 23:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 00:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 01:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 02:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 03:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 04:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\tuEQB5A7.exe
"2008-03-07 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\k3wPF5Rt.exe
"2008-03-07 15:09:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 11:54:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-07 11:57:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 16:57:42



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:48 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack this\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.226.167.221:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149093394186
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: c:\windows\system32\awtssqr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cscxts - cscxts.dll (file missing)
O20 - Winlogon Notify: iiiigec - iiiigec.dll (file missing)
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8758 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 07 March 2008 - 01:44 PM

Click Start/Run,type CMD then press Ok.
At the command prompt copy and paste the following command in bold text below,then press Enter
DEL C:\WINDOWS\Tasks\At*.job
Then type EXIT then press Enter.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
Read this article:
http://www.clickz.com/news/article.php/3561546
You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Toolbar
Viewpoint Manager
Viewpoint Media Player



Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\SYSTEM32\ihkmp.ini
C:\WINDOWS\SYSTEM32\L2649.tmp
C:\WINDOWS\SYSTEM32\LF8F0.tmp
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscxts]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiiigec]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste ALL the following text inside the code box below into the text file:
"C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml"
"C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml.recent"
"C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml"
"C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml.recent"
"C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml"
"C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml.recent"
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Zone Labs\ZoneAlarmPro 4\bak\zlclient.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe"
"C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
"C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
"C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
"C:\WINDOWS\SYSTEM32\bak\ps2.exe"
"C:\WINDOWS\SYSTEM32\bak\usb.exe"
Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.
Posted Image
Posted Image

#7 fazz

fazz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 07 March 2008 - 05:58 PM

Hey Richie, thanks again for helping me. So I wanted to ask just out of curiosity what is AWF and why couldnt it find it with combofix? Anyway here are the logs:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Fri 03/07/2008
The current time is: 17:55:56.81


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

07/06/2001 05:56 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/15/2006 07:38 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

06/15/2001 06:34 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 12:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 11:56 PM 15,360 ctfmon.exe
08/07/2001 07:36 PM 90,112 hkcmd.exe
08/07/2001 08:25 PM 143,360 igfxtray.exe
07/09/2001 01:50 AM 155,648 NeroCheck.exe
07/03/2001 05:13 PM 81,920 ps2.exe
07/03/2001 05:14 PM 102,400 usb.exe
6 File(s) 588,800 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

08/07/2006 08:13 AM 369,664 avgcc.exe
1 File(s) 369,664 bytes

Directory of C:\PROGRA~1\ZONELA~1\ZONEAL~2\BAK

12/15/2003 02:57 PM 693,528 zlclient.exe
1 File(s) 693,528 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/29/2003 05:48 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

05/03/2006 01:56 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\DOCUME~1\OWNER\DESKTOP\STUFF\BLACKJ~1\2-15-2~1\BLACKJ~1\BAK

10/15/2007 12:42 AM 6,894 Elite.home.xml
10/15/2007 12:45 AM 6,894 Elite.home.xml.recent
05/21/2007 07:48 PM 16,523 Facade Wide.home.xml
05/22/2007 03:18 AM 16,523 Facade Wide.home.xml.recent
05/22/2007 02:49 AM 9,991 myPhone_fish34.home.xml
05/22/2007 02:52 AM 9,991 myPhone_fish34.home.xml.recent
6 File(s) 66,816 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Jul 6 2001 "C:\hp\KBD\KBD.EXE"
61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.EXE"
282624 Jul 15 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Jul 15 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Jun 15 2001 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Jun 15 2001 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\SYSTEM\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe"
15360 Aug 3 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
90112 Aug 7 2001 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
90112 Aug 7 2001 "C:\hp\drivers\video\HKCMD.EXE"
90112 Aug 7 2001 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
143360 Aug 7 2001 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
143360 Aug 7 2001 "C:\hp\drivers\video\IGFXTRAY.EXE"
143360 Aug 7 2001 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
155648 Jul 9 2001 "C:\Documents and Settings\Owner\Fazz's Documents\Setup Files\Misc\Nero Burning\System\NeroCheck.exe"
81920 Jul 3 2001 "C:\WINDOWS\SYSTEM32\ps2.exe"
81920 Jul 3 2001 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Jul 3 2001 "C:\WINDOWS\SYSTEM32\bak\ps2.exe"
102400 Jul 3 2001 "C:\WINDOWS\SYSTEM32\usb.exe"
102400 Jul 3 2001 "C:\hp\drivers\keyboard\USB.EXE"
102400 Jul 3 2001 "C:\WINDOWS\SYSTEM32\bak\usb.exe"
369664 Aug 7 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
369664 Aug 7 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
693528 Dec 15 2003 "C:\Program Files\Zone Labs\ZoneAlarmPro 4\zlclient.exe"
693528 Dec 15 2003 "C:\Program Files\Zone Labs\ZoneAlarmPro 4\bak\zlclient.exe"
151597 Aug 29 2003 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Aug 29 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe"
6894 Oct 15 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Elite.home.xml.recent"
6894 Oct 15 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml.recent"
6894 Oct 15 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Elite.home.xml"
6894 Oct 15 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml"
16523 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Facade Wide.home.xml.recent"
16523 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml.recent"
16523 May 21 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Facade Wide.home.xml"
16523 May 21 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml"
9991 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\myPhone_fish34.home.xml.recent"
9991 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml.recent"
9999 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\myPhone_fish34.home.xml"
9991 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\myPhonev3.3_files\myPhone_fish34.home.xml"
9991 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\myPhone_fish34.home.xml"
9991 May 22 2007 "C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml"


end of report




COMBOFIX LOG:

ComboFix 08-03-07.1 - Owner 2008-03-07 17:50:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\ihkmp.ini
C:\WINDOWS\SYSTEM32\L2649.tmp
C:\WINDOWS\SYSTEM32\LF8F0.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\ihkmp.ini
C:\WINDOWS\SYSTEM32\L2649.tmp
C:\WINDOWS\SYSTEM32\LF8F0.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 11:45 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-07 11:44 . 2008-03-07 11:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-05 03:16 . 2008-03-05 03:16 597 --a------ C:\WINDOWS\SYSTEM32\tversity.cookies
2008-02-17 00:40 . 2008-02-17 00:40 94 --a------ C:\WINDOWS\wininit.ini
2008-02-15 20:38 . 2008-02-15 21:28 <DIR> d-------- C:\Program Files\CeRegEditor
2008-02-15 17:39 . 2008-02-15 17:39 <DIR> d-------- C:\Program Files\SAMSUNG
2008-02-15 17:39 . 2006-04-20 14:34 100,304 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdmdm.sys
2008-02-15 17:39 . 2006-04-20 14:35 79,216 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdserd.sys
2008-02-15 17:39 . 2006-04-20 14:33 66,672 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdbus.sys
2008-02-15 17:39 . 2006-04-20 14:34 9,328 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdmdfl.sys
2008-02-15 17:39 . 2006-04-20 14:34 6,240 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdcmnt.sys
2008-02-15 17:39 . 2006-04-20 14:34 6,240 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdcm.sys
2008-02-15 17:39 . 2006-04-20 14:33 5,904 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdwhnt.sys
2008-02-15 17:39 . 2006-04-20 14:33 5,904 --a------ C:\WINDOWS\SYSTEM32\drivers\sscdwh.sys
2008-02-13 23:07 . 2008-02-13 23:07 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-09 11:31 . 2008-03-07 01:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-09 11:31 . 2008-02-09 11:31 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 22:31 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-07 16:44 --------- d-----w C:\Program Files\Java
2008-03-07 13:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 08:19 --------- d--h--w C:\Program Files\ArcSoft
2008-03-05 07:05 --------- d-----w C:\Program Files\PeerGuardian_1.99pr7
2008-03-04 07:04 --------- dc----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-22 13:35 --------- dc----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-17 05:46 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 23:34 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-05 16:34 1,032,192 ----a-w C:\WINDOWS\explorer.exe
2008-01-10 04:39 --------- d-----w C:\Program Files\LiveUpdate
2008-01-10 04:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 09:10 --------- d-----w C:\Program Files\mIRC
2008-01-07 03:52 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-02-09 06:01 3,656 ----a-w C:\Program Files\Read_Me.txt
2007-01-21 22:20 45,619 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_01_20_13_58_59_small.dmp.zip
2007-01-21 04:22 1,782 ----a-w C:\Program Files\illusion.reg
2006-07-25 21:18 0 -c--a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2005-10-23 00:30 50,096 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-09-14 16:00 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys
2004-09-04 16:38 62 -c--a-w C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
2004-09-02 21:46 215,462 -c--a-w C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
2004-08-20 01:22 212,776 -c--a-w C:\Documents and Settings\Sunnam\Application Data\tvmknwrd.dll
2004-05-13 01:10 36 -c--a-w C:\Documents and Settings\Owner\klextlock.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_11.57.19.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
+ 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\nircmd.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 6,894 2007-10-15 05:42:38 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml
----a-w 6,512 2008-02-08 07:07:36 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Elite.home.xml

----a-w 6,894 2007-10-15 05:45:20 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Elite.home.xml.recent

----a-w 16,523 2007-05-22 00:48:38 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml
-c--a-w 16,886 2007-05-22 22:18:14 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\Facade Wide.home.xml

----a-w 16,523 2007-05-22 08:18:10 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\Facade Wide.home.xml.recent

----a-w 9,991 2007-05-22 07:49:16 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml

----a-w 9,991 2007-05-22 07:52:52 C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak\myPhone_fish34.home.xml.recent

----a-w 61,440 2001-07-06 22:56:56 C:\hp\KBD\bak\KBD.EXE

----a-w 151,597 2003-08-29 22:48:31 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 369,664 2006-08-07 13:13:53 C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe
----a-w 579,072 2007-12-21 14:11:59 C:\Program Files\Grisoft\AVG Free\avgcc.exe

----a-w 36,975 2006-05-03 06:56:56 C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe

----a-w 282,624 2006-07-16 00:38:33 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 693,528 2003-12-15 19:57:12 C:\Program Files\Zone Labs\ZoneAlarmPro 4\bak\zlclient.exe

----a-w 212,992 2001-06-15 23:34:56 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-07 17:04:38 C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 90,112 2001-08-08 00:36:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

----a-w 143,360 2001-08-08 01:25:48 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

----a-w 155,648 2001-07-09 06:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe

----a-w 81,920 2001-07-03 22:13:56 C:\WINDOWS\SYSTEM32\bak\ps2.exe

----a-w 102,400 2001-07-03 22:14:08 C:\WINDOWS\SYSTEM32\bak\usb.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 03:15 68856]
"Aim6"="" []
"SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:11 579072]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"SecureClean4RegManager"="C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe" [2003-10-14 11:13 1266176]
"SecureClean4Tray"="C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe" [2003-10-13 10:58 1570304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:12 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamWizard]
C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a--c--- 2003-10-02 01:20 81920 C:\Program Files\Daemon Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
C:\PROGRA~1\AIM\\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESPN360]
C:\Program Files\ESPN360\bin\espn360.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a--c--- 2003-12-09 23:19 278528 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-22 23:13 1591808 C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2006-05-11 20:42 3284992 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 15:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2006-12-21 21:54 257272 C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGtray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-08-29 09:45 208941 C:\Program Files\Real\RealOne Player\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a--c--- 2005-01-25 15:31 1159168 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-01-10 15:14 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp3\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2003-12-05 11:51 1490944 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
--a--c--- 2001-10-15 14:04 127030 C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Stuff\\SopCast_062\\SopCast\\SopCast.exe"=
"%windir%\\explorer.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 02:16]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 13:37]
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS [2002-08-04 16:47]
S3 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 13:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83e40808-7997-11db-80a0-00e0185b86e3}]
\Shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 19:09:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 17:52:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 17:53:52
ComboFix-quarantined-files.txt 2008-03-07 22:53:30
ComboFix2.txt 2008-03-07 16:57:46

Edited by fazz, 07 March 2008 - 06:02 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 07 March 2008 - 06:24 PM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\hp\KBD\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\SYSTEM\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Grisoft\AVG Free\bak
C:\Program Files\Java\jre1.5.0_07\bin\bak
C:\Program Files\Zone Labs\ZoneAlarmPro 4\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Documents and Settings\Owner\Desktop\Stuff\Blackjack Files\2-15-2008 stuff\Blackjack backup files\bak
C:\Documents and Settings\All Users\Application Data\Viewpoint


Return to OTMoveIt, right click on the "Paste Custom List of Files/Folders to Move" window under the "yellow" bar at the bottom,and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download and scan with CCleaner:
http://www.ccleaner.com/downloadbuilds.asp
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
* Clean all entries in the "Internet Explorer" section except Cookies.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.

In the Applications Tab:
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "Exit" when done.


Please download Malwarebytes Anti-Malware and save it to your desktop:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double-click on Download_mbam-setup.exe to install the application.
(If you're running Windows Vista,be sure to "Run As Administrator").
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both these checked:
-- Update Malwarebytes' Anti-Malware
-- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
On the Scanner tab:
-- Make sure the "Perform Quick Acan" option is selected.
-- Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process,if you're asked to restart the computer,please do so immediately.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
Now click on the Save as Text button.
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users