Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.core / Rootkit Tncore Problems


  • This topic is locked This topic is locked
8 replies to this topic

#1 Kristopher McDougall

Kristopher McDougall

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Issaquah, WA
  • Local time:03:40 PM

Posted 27 February 2008 - 08:57 PM

Hello all, I am having some problems with my computer. I have some major pop-ups going on. It does not seem to matter what browser I use, be it Opera, IE 7, or Firefox. I did a scan with spyboy and found some files associated with smitfraud. I have read several posts regarding the removal of smitfraud but have yet to totally get it off my system. Depending on what program I use to scan the computer (spybot, ad-aware, trend micro, etc) they either say I have smitfraud-c.core or rootkit tncore. I removed several items with hijackthis and the problem got better but did not totally go away. I am not sure if this second problem is related to the first but the computer will bluescreen and restart. I have yet to actually be at the computer when it is happened but it seems like about once a day I will come back to the computer and it will be at the logon screen and when I get in it lets me know it restarted. Let me know what you all think, any help would be greatly welcome. I have put so many hours into this already it would have been faster to format and reinstall but I really do not want to do this, my wife has TONS of stuff on here and it would be a pain to back it all up and reinstall all her apps lol. Thanks again all! Here is what my HijackThis log looks like now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:20 PM, on 2/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://pewin2k3:1024/VirtualServer/activex...tiveXClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF9F29D7-3220-4562-A915-BD15FE184811}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Collages Service - Collages.net, Inc. http://collages.net/ - C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6228 bytes

BC AdBot (Login to Remove)

 


m

#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:40 PM

Posted 03 March 2008 - 07:24 AM

Hello Kristopher ,

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

You should never never remove anything with HJT on your own, remove the wrong entries and you can bork your computer, besides whatever you removed would have let us know what your infected with and now I really don't have a clue, I see nothing on your log for smitfraud. Did this issue with your computer rebooting happen before or after you removed those entries with HJT??


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.



Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.


Post the Malwarebytes log, the Kaspersky log and a new HJT log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 Kristopher McDougall

Kristopher McDougall
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Issaquah, WA
  • Local time:03:40 PM

Posted 04 March 2008 - 08:49 PM

Hello and thank you for helping, no worry about the wait. Attached are my three logs you requested. About the restarts, it seemed to start about the time the pop-ups did. The blue screen says something about pool_data, I didn't see the BSOD long enough to get the full error but will watch for it again and get you the full error info.

Thanks again, let me know what you need next :thumbsup:

Attached Files



#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:40 PM

Posted 04 March 2008 - 09:14 PM

Kris,

You have a marker in your Malwarebytes log for the Vundo Trojan


Download this program to your DESKTOP, you will have to Right click it and select Run as Administrator


Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now right click on combofix.exe run as administrator & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.


I need you to post the logs directly into this thread instead of attaching them please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 Kristopher McDougall

Kristopher McDougall
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Issaquah, WA
  • Local time:03:40 PM

Posted 04 March 2008 - 10:18 PM

hello, here are the logs, and also my av reported after the reboot from combofix finding 'freeloader smitfraud' in file 'c:\combofix\dumphive.cfexe'


ComboFix 08-03-04.5 - Kristopher McDougall 2008-03-04 18:51:26.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2169 [GMT -8:00]
Running from: C:\Users\Kristopher McDougall\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\battcc.sys
C:\Windows\system32\drivers\BrFiltLoo.sys
C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\system32\drivers\rspndrr.sys
C:\Windows\system32\drivers\usb80233.sys
C:\Windows\system32\drivers\usbaapll.sys
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_USBAAPLL
-------\usbaapll


((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-03 17:47 . 2008-03-03 17:47 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-03-03 17:47 . 2008-03-03 17:47 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-03-03 17:47 . 2008-03-03 17:47 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-03-03 17:40 . 2008-03-03 17:40 <DIR> d-------- C:\Users\Kristopher McDougall\AppData\Roaming\Malwarebytes
2008-03-03 17:40 . 2008-03-03 17:40 <DIR> d-------- C:\Users\Kristopher McDougall\AppData\Roaming\Download Manager
2008-03-03 17:40 . 2008-03-03 17:40 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-03-03 17:40 . 2008-03-03 17:40 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-03-03 17:40 . 2008-03-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-01 08:25 . 2008-03-01 08:25 <DIR> d-------- C:\Program Files\TheSpringBox
2008-02-28 07:32 . 2008-03-04 11:31 344,136,849 --a------ C:\Windows\MEMORY.DMP
2008-02-27 18:00 . 2008-02-27 18:00 2,335,270 --a------ C:\Windows\System32\1a151BF.mht
2008-02-23 16:24 . 2008-02-23 16:24 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-02-23 16:24 . 2008-02-23 16:24 43,698 --a------ C:\Windows\System32\xvid-uninstall.exe
2008-02-23 16:23 . 2008-02-23 16:23 <DIR> d-------- C:\Program Files\Gabest
2008-02-23 16:23 . 2008-02-23 16:24 <DIR> d-------- C:\Program Files\AutoGK
2008-02-20 23:19 . 2008-03-03 17:34 <DIR> d-------- C:\Users\Kristopher McDougall\AppData\Roaming\SUPERAntiSpyware.com
2008-02-20 23:19 . 2008-02-20 23:19 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-02-20 23:19 . 2008-02-20 23:19 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-02-20 23:19 . 2008-03-03 17:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-18 14:18 . 2007-03-14 02:20 25,600 --a------ C:\Windows\System32\GTCCRMON.DLL
2008-02-16 18:31 . 2008-02-16 18:32 704 --a------ C:\Windows\System32\tmp.reg
2008-02-16 18:26 . 2008-02-16 18:26 <DIR> d-------- C:\Windows\Content.IE5
2008-02-16 18:16 . 2008-02-17 15:28 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-16 18:16 . 2008-02-16 18:16 <DIR> d-------- C:\Program Files\CCleaner
2008-02-16 18:15 . 2008-02-16 18:15 101 --a------ C:\Windows\wininit.ini
2008-02-16 17:32 . 2008-02-16 17:45 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-16 17:32 . 2008-02-16 17:45 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-16 17:32 . 2008-02-16 17:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 14:30 . 2007-09-17 14:31 1,126,072 --a------ C:\Windows\System32\drivers\vsapint.sys
2008-02-16 14:30 . 2006-12-28 22:53 288,848 --a------ C:\Windows\System32\drivers\TM_CFW.sys
2008-02-16 14:30 . 2007-09-17 14:40 202,768 --a------ C:\Windows\System32\drivers\tmxpflt.sys
2008-02-16 14:30 . 2006-12-28 22:53 111,888 --a------ C:\Windows\System32\drivers\tm_mbd_c.sys
2008-02-16 14:30 . 2007-01-24 17:45 102,800 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-02-16 14:30 . 2006-12-28 22:53 75,088 --a------ C:\Windows\System32\drivers\tmtdi.sys
2008-02-16 14:30 . 2007-09-17 14:40 35,856 --a------ C:\Windows\System32\drivers\tmpreflt.sys
2008-02-16 14:29 . 2008-02-16 14:32 <DIR> d-------- C:\Users\All Users\Trend Micro
2008-02-16 14:29 . 2008-02-16 14:32 <DIR> d-------- C:\ProgramData\Trend Micro
2008-02-16 14:28 . 2008-02-27 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 14:26 . 2008-02-16 14:26 <DIR> d-------- C:\Users\All Users\Avg7
2008-02-16 14:26 . 2008-02-16 14:26 <DIR> d-------- C:\ProgramData\Avg7
2008-02-13 18:33 . 2008-02-13 18:33 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-13 18:22 . 2008-02-14 19:44 <DIR> d-------- C:\Users\Kristopher McDougall\.housecall6.6
2008-02-13 03:31 . 2008-02-13 03:31 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 03:31 . 2008-02-13 03:31 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 03:12 . 2008-02-13 03:12 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 03:12 . 2008-02-13 03:12 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 03:12 . 2008-02-13 03:12 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 03:12 . 2008-02-13 03:12 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 03:12 . 2008-02-13 03:12 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 03:12 . 2008-02-13 03:12 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 03:12 . 2008-02-13 03:12 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-02-13 03:05 . 2008-02-13 03:05 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 03:05 . 2008-02-13 03:05 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 03:05 . 2008-02-13 03:05 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 03:05 . 2008-02-13 03:05 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 03:05 . 2008-02-13 03:05 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 03:05 . 2008-02-13 03:05 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 03:05 . 2008-02-13 03:05 22,016 --a------ C:\Windows\System32\netiougc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 01:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 02:44 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-13 11:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 11:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 11:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 11:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 11:03 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 11:03 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 11:03 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 11:03 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-06 18:49 --------- d-----w C:\ProgramData\FLEXnet
2008-02-04 07:07 --------- d-----w C:\Program Files\Opera
2008-02-04 07:03 --------- d-----w C:\ProgramData\VMware
2008-02-04 06:53 --------- d-----w C:\Users\Kristopher McDougall\AppData\Roaming\VMware
2008-02-04 06:34 --------- d-----w C:\ProgramData\Lavasoft
2008-02-04 06:33 --------- d-----w C:\Program Files\Lavasoft
2008-02-03 07:31 --------- d-----w C:\Users\Kristopher McDougall\AppData\Roaming\uTorrent
2008-02-01 00:07 --------- d---a-w C:\ProgramData\TEMP
2008-01-31 23:47 --------- d-----w C:\Program Files\My Exotic Farm
2008-01-28 05:39 --------- d-----w C:\Program Files\World of Warcraft
2008-01-23 20:05 --------- d-----w C:\Program Files\iTunes
2008-01-23 20:05 --------- d-----w C:\Program Files\iPod
2008-01-23 20:04 --------- d-----w C:\Program Files\QuickTime
2008-01-21 19:27 --------- d-----w C:\Users\Kristopher McDougall\AppData\Roaming\Gamelab
2008-01-21 19:17 --------- d-----w C:\Program Files\Jojo's Fashion Show
2008-01-20 22:53 --------- d-----w C:\Program Files\The Sims Carnival SnapCity
2008-01-17 01:36 --------- d-----w C:\Users\Kristopher McDougall\AppData\Roaming\U3
2008-01-10 11:12 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 11:12 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 11:04 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 11:04 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 11:04 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-08 08:48 --------- d-----w C:\Program Files\Hasbro
2008-01-08 08:12 --------- d-----w C:\Program Files\DivX
2008-01-08 04:20 --------- d-----w C:\Program Files\WinASO
2008-01-08 03:50 --------- d-----w C:\Program Files\ASUS
2008-01-08 03:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-07 04:01 --------- d-----w C:\ProgramData\Office Genuine Advantage
2007-12-14 19:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-12-12 11:05 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 11:05 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 11:05 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-11 19:46 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-12-11 19:43 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2007-09-09 10:21 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CollagesSystray"="C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe" [2007-09-25 13:44 151552]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 04:34 125440]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 15:27 455968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-11 17:59 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-28 22:52 3429904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CollagesSystray"="C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe" [2007-09-25 13:44 151552]

C:\Users\Kristopher McDougall\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TheSpringBox.lnk - C:\Program Files\TheSpringBox\TheSpringBox.exe [2007-06-14 11:35:52 1695679]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 14:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 08:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-26 00:17 8429568 C:\Windows\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-26 00:17 81920 C:\Windows\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2007-04-26 00:17 86016 C:\Windows\system32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-11 17:59 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
C:\Program Files\VMware\VMware Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-09-09 02:12 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-693319831-346346037-3553687544-1000]
"EnableNotificationsRef"=dword:00000003

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7560087E-5DEF-4D9B-A7C1-B0DEC8BA19CA}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{07EF5FAC-0A0C-4CA8-AF41-AECA295E862C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{136DD711-BFEE-4D86-850D-65B6CF804EF6}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1B939613-4630-465F-96A3-8D969AD53704}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F2938449-E5D9-4196-A783-0CD18C042F46}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{8E87DD1F-6EDC-4ABE-8E71-775E61706D16}C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe"= UDP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW|Desc=GRAW
"UDP Query User{D90175DC-CEF3-4733-BEBC-4F485897DC3A}C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe"= TCP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW|Desc=GRAW
"{C76A8FC7-FC41-4CDA-9CA4-1A57E567968D}"= UDP:C:\Program Files\Orb Networks\Orb\bin\Orb.exe:Orb
"{3529EF0F-B061-49B4-8FB6-1B1FDB351838}"= TCP:C:\Program Files\Orb Networks\Orb\bin\Orb.exe:Orb
"{449500FD-88B3-4738-AA3B-DC062CB17FB4}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{43185C97-383A-4ED9-AD6C-D8EBE9C9D6A7}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{A988274F-323B-4BCB-97B8-7773B79BEF19}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbIR.exe:OrbIR
"{304E45A1-6C67-45B8-A52E-D07283DFBE06}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbIR.exe:OrbIR
"{1B87CE06-3802-4263-8133-84B80243EF47}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{4EFA3FBD-1CBB-4DB6-AD55-6F189D0BBF5E}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{CB5FB583-2298-484C-AB3A-903D035BE889}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{AF0EE887-E49E-4850-AA07-C3C1DA98916D}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{D31A29C3-3EB6-435F-8747-985FF492DB24}C:\xampp\apache\bin\apache.exe"= UDP:C:\xampp\apache\bin\apache.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{37C55472-669D-447B-8773-DB87E0983361}C:\xampp\apache\bin\apache.exe"= TCP:C:\xampp\apache\bin\apache.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{96E73838-2D8C-47AA-915C-32A6AF37D356}C:\program files\collages.net inc\collages.net desktop\collagessystray.exe"= UDP:C:\program files\collages.net inc\collages.net desktop\collagessystray.exe:CollagesSysTray|Desc=CollagesSysTray
"UDP Query User{3C6F4035-CC2A-4C7C-B0D0-0B1E02A6F436}C:\program files\collages.net inc\collages.net desktop\collagessystray.exe"= TCP:C:\program files\collages.net inc\collages.net desktop\collagessystray.exe:CollagesSysTray|Desc=CollagesSysTray
"TCP Query User{CE7AFCC9-E724-4BF6-AACE-B39610AD42A3}C:\program files\collages.net inc\collages.net desktop\collagesdesktop.exe"= UDP:C:\program files\collages.net inc\collages.net desktop\collagesdesktop.exe:Collages.net Desktop|Desc=Collages.net Desktop
"UDP Query User{E9EC00E8-66B1-40CD-84F7-14360FDD3304}C:\program files\collages.net inc\collages.net desktop\collagesdesktop.exe"= TCP:C:\program files\collages.net inc\collages.net desktop\collagesdesktop.exe:Collages.net Desktop|Desc=Collages.net Desktop
"TCP Query User{A8A21818-4EFF-4DD5-9D6B-8EDBF32D668F}C:\program files\collages.net inc\collages.net desktop\collagessystray.exe"= UDP:C:\program files\collages.net inc\collages.net desktop\collagessystray.exe:CollagesSysTray|Desc=CollagesSysTray
"UDP Query User{2B464C03-4B53-49F2-90F9-1954C46F1DD3}C:\program files\collages.net inc\collages.net desktop\collagessystray.exe"= TCP:C:\program files\collages.net inc\collages.net desktop\collagessystray.exe:CollagesSysTray|Desc=CollagesSysTray
"{7F86CC5D-A090-4393-A2F5-4CE72E13D905}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{18166383-4809-44CE-B9B8-2E0DCCF64175}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{D6976481-0767-4298-9A8B-AF9C41BC15B7}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{1B41E02B-EC9F-4A46-B7E8-880D9FC1E485}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"{1142E8F9-3DCD-4D90-B3F6-BD6C5376C21F}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{7C24F2D3-DB42-40DA-943C-552543F2F057}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{BA4C6309-0C9C-41B1-A341-3ACD44B13DD1}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1C8E045C-6F63-4A16-A052-3A72DC8202B0}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4AF61F62-C9A5-411D-BB06-45C981D108F1}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{EDA23FB2-924E-4789-92D4-348354AAE0C0}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 Collages Service;Collages Service;"C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesService.exe" [2007-09-25 13:44]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 00:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\OblivionLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 18:59:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
.
**************************************************************************
.
Completion time: 2008-03-04 19:04:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 03:04:39
.
2008-02-29 06:36:07 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:18 PM, on 3/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe
C:\Windows\Explorer.exe
C:\Program Files\TheSpringBox\TheSpringBox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kristopher McDougall\Desktop\killspy\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'Default user')
O4 - Startup: TheSpringBox.lnk = C:\Program Files\TheSpringBox\TheSpringBox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://pewin2k3:1024/VirtualServer/activex...tiveXClient.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Collages Service - Collages.net, Inc. http://collages.net/ - C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6216 bytes

#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:40 PM

Posted 05 March 2008 - 04:35 AM

Good Morning,

The files associated with the Vundo Trojan have been removed and your HJT log looks fine :thumbsup:


C:\ComboFix.txt <--You can delete this and also drag Combofix to the trash. Malwarebytes is the free version and yours to keep.

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
**Note** Go to Options> Cookies and any you want to keep move them to The Keep window

How are things running now?

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 Kristopher McDougall

Kristopher McDougall
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Issaquah, WA
  • Local time:03:40 PM

Posted 05 March 2008 - 11:24 AM

Thanks for all your help. I saw that the computer did not do the BSOD/restart it usually does and was still running where I left it from last night to this morning! I will dl CCleaner and run as instructed. Thanks again :thumbsup:

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:40 PM

Posted 05 March 2008 - 12:09 PM

Your welcome Kris,


Glad we could help

Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:40 PM

Posted 16 March 2008 - 09:03 AM

Since this issue appears resolved this thread will now be closed. Thank you for using Bleeping Computer.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users