Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Problems?


  • Please log in to reply
13 replies to this topic

#1 RDTZ

RDTZ

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 01 March 2008 - 02:03 AM

Ok, I'm not sure exactly what I have (spyware, adware, etc.), but my computer has been running really slow lately, and giving me all sorts of error messages. I have fake Windows Update and Help and Support Center icons (They lead to storageprotector.com according to the properties) on my desktop that simply come back when I try to delete them. Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:15 AM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...amp;O=A&UT=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [a8e1ca44] rundll32.exe "C:\WINDOWS\system32\krcuesha.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BMabd2f9d8] Rundll32.exe "C:\WINDOWS\system32\iyimqlhy.dll",s
O4 - HKCU\..\Run: [Tvw] "C:\Program Files\Common Files\??stem32\??rss.exe"
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5297 bytes




Thank you for any help!

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 03 March 2008 - 05:48 PM

Please download ComboFix.exe

Save it to the Desktop

Now, double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Now, run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.

Old duck...


#3 RDTZ

RDTZ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 04 March 2008 - 01:57 AM

Ok, here is the combofix:

ComboFix 08-03-04.2 - Owner 2008-03-04 0:18:53.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\as.txt
C:\Documents and Settings\Owner\My Documents\DOBE~1
C:\Documents and Settings\Owner\My Documents\DOBE~1\?dobe\
C:\Program Files\Common Files\{38E1C~1
C:\Program Files\Common Files\{38E1C~1\toolbardll.lzma
C:\Program Files\Common Files\{38E1C~1\UnInstall.exe
C:\Program Files\Common Files\{38E1C~2
C:\Program Files\Common Files\{A8E1C~1
C:\Program Files\Common Files\{A8E1C~2
C:\Program Files\Common Files\{A8E1C~3
C:\Program Files\Common Files\{A8E1C~4
C:\Program Files\Common Files\stem32~1
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\outlook
C:\Program Files\Temporary
C:\WINDOWS\BMabd2f9d8.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aeuxbtyf.dll
C:\WINDOWS\system32\agnpyjlg.dll
C:\WINDOWS\system32\awttuuv.dll
C:\WINDOWS\system32\biipuiqt.dll
C:\WINDOWS\system32\cactabrj.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cqgrhfiy.dll
C:\WINDOWS\system32\cytudqxn.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\dqmnfebi.dll
C:\WINDOWS\system32\edjtdjtu.dll
C:\WINDOWS\system32\eiyrhlqq.dll
C:\WINDOWS\system32\iyimqlhy.dll
C:\WINDOWS\system32\jkpkpdcl.ini
C:\WINDOWS\system32\jmjcwltq.dll
C:\WINDOWS\system32\jovxjllv.dll
C:\WINDOWS\system32\jrbatcac.ini
C:\WINDOWS\system32\krdpoftt.dll
C:\WINDOWS\system32\lcdpkpkj.dll
C:\WINDOWS\system32\lupegcse.ini
C:\WINDOWS\system32\lxmjgtyh.dll
C:\WINDOWS\system32\main.sys
C:\WINDOWS\system32\nlygnhdu.dll
C:\WINDOWS\system32\pvnbcqoe.dll
C:\WINDOWS\system32\rhqfgeac.dll
C:\WINDOWS\system32\tmvkrpwv.dll
C:\WINDOWS\system32\tqiupiib.ini
C:\WINDOWS\system32\ttfopdrk.ini
C:\WINDOWS\system32\tuvwtqq.dll
C:\WINDOWS\system32\twnhtuol.dll
C:\WINDOWS\system32\unhuyqqb.dll
C:\WINDOWS\system32\vturqqq.dll
C:\WINDOWS\system32\vwprkvmt.ini
C:\WINDOWS\system32\waknxcsf.dll
C:\WINDOWS\system32\wpwpowsp.dll
C:\WINDOWS\system32\wsys.dll
C:\WINDOWS\system32\xgwandab.dll
C:\WINDOWS\system32\xyajjcgo.dll
C:\WINDOWS\system32\ylrjaduu.dll
C:\WINDOWS\system32\yltqwdly.dll
C:\WINDOWS\system32\ytjyxnvy.dll
C:\WINDOWS\system32\yvnxyjty.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_COM+_MESSAGES


((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-01 14:18 . 2008-03-02 18:51 894 ---hs---- C:\WINDOWS\system32\syknjfya.ini
2008-03-01 00:56 . 2008-03-01 00:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 00:47 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-01 00:47 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-01 00:46 . 2008-03-01 00:46 <DIR> d-------- C:\Program Files\Sygate
2008-03-01 00:46 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-29 13:41 . 2008-03-01 14:16 654 ---hs---- C:\WINDOWS\system32\ahseucrk.ini
2008-02-28 13:43 . 2008-02-29 13:32 414 ---hs---- C:\WINDOWS\system32\uwgbfbhd.ini
2008-02-28 13:37 . 2008-03-04 00:19 27,156 ---hs---- C:\WINDOWS\system32\cytudqxn.dllbox
2008-02-27 13:37 . 2008-02-27 17:08 354 ---hs---- C:\WINDOWS\system32\equwtdld.ini
2008-02-25 13:17 . 2008-02-25 13:17 294 ---hs---- C:\WINDOWS\system32\sdykhpsk.ini
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-23 00:38 . 2008-02-23 00:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 00:38 . 2008-02-23 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 02:39 . 2008-02-22 02:39 18 --ah----- C:\SYSREST
2008-02-22 01:31 . 2008-02-22 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 23:07 . 2008-02-22 01:46 24,262 ---hs---- C:\WINDOWS\system32\hluwjsza.dllbox
2008-02-21 04:32 . 2008-02-21 04:32 54,764 --a------ C:\WINDOWS\system\tap64drv
2008-02-21 04:32 . 2008-02-21 04:35 29,696 --a------ C:\d.exe
2008-02-21 04:32 . 2008-02-21 04:35 2 --a------ C:\-1461597461
2008-02-21 04:31 . 2008-02-21 04:35 58,368 --a------ C:\wpohl.exe
2008-02-21 04:31 . 2008-02-21 04:35 50,176 --a------ C:\arbfikac.exe
2008-02-21 04:22 . 2008-02-21 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-02-20 21:53 . 2008-02-21 04:08 604 --a------ C:\WINDOWS\Wlf.INI
2008-02-20 19:57 . 2008-02-20 19:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-02-20 11:02 . 2008-02-20 09:02 101,376 --a------ C:\WINDOWS\b152.exe
2008-02-20 04:29 . 2008-02-20 04:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-02-17 07:17 . 2008-02-17 05:17 50,176 --a------ C:\WINDOWS\b153.exe
2008-02-17 04:24 . 2008-02-17 04:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-02-17 04:21 . 2008-02-17 04:21 <DIR> d-------- C:\Program Files\Tencent
2008-02-17 04:18 . 2008-02-17 04:18 21 --a------ C:\WINDOWS\atid.ini
2008-02-17 04:16 . 2008-02-17 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-07 19:32 . 2008-02-20 17:57 <DIR> d-------- C:\Program Files\City of Heroes
2008-02-04 20:46 . 2008-02-04 20:46 2,447,569 --a------ C:\05 - You'll Rebel To Anything (As Long As It's Not Challenging).m4a.MP3
2008-02-04 20:46 . 2008-02-04 20:46 2,324,689 --a------ C:\04 - Tom Sawyer.m4a.MP3
2008-02-04 20:46 . 2008-02-04 20:46 1,880,816 --a------ C:\02 - 1989.m4a.MP3
2008-02-04 20:45 . 2008-02-04 20:46 2,700,016 --a------ C:\01 - Shut Me Up.m4a.MP3
2008-02-04 20:45 . 2008-02-04 20:45 2,577,136 --a------ C:\10 - Bullbleep.m4a.MP3
2008-02-04 20:45 . 2008-02-04 20:45 2,386,129 --a------ C:\09 - Prom.m4a.MP3
2008-02-04 20:44 . 2008-02-04 20:44 2,328,032 --a------ C:\07 - Stupid MF.m4a.MP3
2008-02-04 20:44 . 2008-02-04 20:44 2,205,152 --a------ C:\08 - 2 Hookers And An Eightball.m4a.MP3
2008-02-04 20:43 . 2008-02-04 20:44 3,024,352 --a------ C:\06 - What Do They Know.m4a.MP3
2008-02-04 20:42 . 2008-02-04 20:43 3,601,136 --a------ C:\03 - Straight To Video.m4a.MP3
2008-02-04 01:21 . 2008-02-04 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 20:48 --------- d-----w C:\Program Files\Trillian
2008-02-27 08:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2008-02-27 08:31 --------- d-----w C:\Program Files\Steam
2008-02-27 07:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-02-26 19:03 --------- d-s---w C:\Program Files\Xfire
2008-02-23 22:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 06:52 --------- d-----w C:\Program Files\Common Files\izok
2008-02-22 08:06 10 ----a-w C:\Program Files\.autoreg
2008-02-22 07:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 07:31 --------- d-----w C:\Program Files\Lavasoft
2008-02-21 03:53 --------- d-----w C:\Program Files\Activision
2008-02-17 11:17 --------- d-----w C:\Program Files\mIRC
2008-02-17 10:24 --------- d-----w C:\Program Files\AIM6
2008-02-17 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-09 04:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-02 05:43 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-02 05:42 --------- d-----w C:\Program Files\eRightSoft
2008-02-02 05:37 --------- d-----w C:\Program Files\Fx Video Converter
2008-02-02 04:27 --------- d-----w C:\Program Files\Common Files\Real
2008-02-02 03:26 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2008-02-02 01:48 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-02-02 00:14 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-28 05:27 44,032 ----a-w C:\info.exe
2008-01-27 20:29 --------- d-----w C:\Program Files\vixy.net
2008-01-25 22:49 --------- d-----w C:\Program Files\Future Pinball
2008-01-25 05:42 --------- d-----w C:\Program Files\Blaze Media Pro
2008-01-24 21:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-16 08:25 --------- d-----w C:\Program Files\GUILTY GEAR XX #RELOAD
2008-01-11 12:55 --------- d-----w C:\Program Files\Common Files\DirectX
2008-01-11 06:49 --------- d-----w C:\Program Files\ZC2.10
2008-01-09 11:44 --------- d-----w C:\Program Files\NewsReactor
2008-01-07 10:51 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-07 10:51 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-01-04 04:47 --------- d-----w C:\Program Files\Last.fm
2008-01-04 02:50 --------- d-----w C:\Program Files\Real
2006-12-17 00:46 91,973 ----a-w C:\Documents and Settings\Owner\install.exe
2003-06-16 04:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvw"="C:\Program Files\Common Files\??stem32\??rss.exe" [ ]
"Notn"="C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 01:33 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-10-10 15:18:57 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsrkbqhw]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bitmeter2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk
backup=C:\WINDOWS\pss\Bitmeter2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^customize__IE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\customize__IE.lnk
backup=C:\WINDOWS\pss\customize__IE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8e1ca44]
C:\WINDOWS\system32\escgepul.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCNT]
C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-10-28 00:55 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen Pro]
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-10-16 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\JavaCore\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
C:\Program Files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2001-07-06 22:56 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-07 01:33 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 17:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 23:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-01-11 03:47 315392 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rhvodyk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 19:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-25 15:52 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 09:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvw]
C:\Program Files\Common Files\??stem32\??rss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
C:\Program Files\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\__Res]
c:\hp\bin\cloaker c:\hp\bin\SetRes\SetRes.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{A8E1CAEB-07CD-1033-0304-031118030001}]
C:\Program Files\Common Files\{A8E1CAEB-07CD-1033-0304-031118030001}\Update.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 06:45:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 00:43:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\ntos.exe 419840 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tap64drv]
"ImagePath"="\??\C:\WINDOWS\system\tap64drv"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-04 0:52:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 06:52:50
.
2007-06-08 07:23:37 --- E O F ---






And here is the new Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:04 AM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...amp;O=A&UT=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Tvw] "C:\Program Files\Common Files\??stem32\??rss.exe"
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: bsrkbqhw - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5274 bytes

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 05 March 2008 - 10:55 PM

Please download SDFix
Save it to the Desktop.

Double click SDFix.exe to extract its files to the drive containing the Windows Directory, typically C:\

~~~~
Start the computer in Safe Mode :
  • When the machine starts, tap the F8 key before Windows appears
  • You are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.
~~~~
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Run ComboFix once again to obtain new reports.

~~~~
Please post the contents of the SDFix Report.txt, and the new ComboFix.txt.

Old duck...


#5 RDTZ

RDTZ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 06 March 2008 - 01:32 AM

Here's the Report.txt


SDFix: Version 1.153

Run by Owner on Thu 03/06/2008 at 12:06 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
tap64drv

Path:
\??\C:\WINDOWS\system\tap64drv

tap64drv - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\-14615~1 - Deleted
C:\d.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\Program Files\.autoreg - Deleted
C:\Documents and Settings\Owner\install.exe - Deleted
C:\WINDOWS\system32\mstscex.dll - Deleted
C:\WINDOWS\system32\oleauth32.dll - Deleted
C:\WINDOWS\system\tap64drv - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 00:15:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:8a,08,92,80,0c,f4,0a,26,bf,82,b6,46,e9,b1,a0,36,be,d2,54,e7,27,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000001
"khjeh"=hex:08,62,ec,cf,b5,7c,3a,26,94,2e,63,d3,7b,ca,63,0a,e0,35,da,5a,21,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,22,f9,83,99,db,ab,2f,4f,36,44,e1,53,82,14,b1,1e,94,..
"khjeh"=hex:7c,38,07,1f,b4,3d,24,06,3f,a0,37,80,d1,2d,04,36,b1,6a,26,96,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:06,03,32,69,84,5d,5d,d7,ee,76,c6,87,8a,22,0e,37,6a,89,86,c9,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:8a,08,92,80,0c,f4,0a,26,bf,82,b6,46,e9,b1,a0,36,be,d2,54,e7,27,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000001
"khjeh"=hex:08,62,ec,cf,b5,7c,3a,26,94,2e,63,d3,7b,ca,63,0a,e0,35,da,5a,21,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,22,f9,83,99,db,ab,2f,4f,36,44,e1,53,82,14,b1,1e,94,..
"khjeh"=hex:7c,38,07,1f,b4,3d,24,06,3f,a0,37,80,d1,2d,04,36,b1,6a,26,96,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:06,03,32,69,84,5d,5d,d7,ee,76,c6,87,8a,22,0e,37,6a,89,86,c9,cf,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 15 Dec 2006 3,072 ..SHR --- "C:\361101032257344312.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 5 Jan 2008 4,378,338 A.SH. --- "C:\Program Files\vixy.net\conv.exe"
Sun 15 Jun 2003 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Tue 4 Mar 2008 27,156 ..SH. --- "C:\WINDOWS\system32\cytudqxn.dllbox"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Fri 22 Feb 2008 24,262 ..SH. --- "C:\WINDOWS\system32\hluwjsza.dllbox"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007 27,648 ..SH. --- "C:\WINDOWS\system32\Smab0.dll"
Sat 16 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Fri 1 Feb 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Sun 13 Nov 2005 115 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti1.tmp"
Thu 14 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"

Finished!



And here's the new log.txt


ComboFix 08-03-04.2 - Owner 2008-03-06 0:27:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\361101032257344312.exe
C:\WINDOWS\system32\cytudqxn.dllbox
C:\WINDOWS\system32\hluwjsza.dllbox
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-06 00:05 . 2005-03-02 12:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-06 00:00 . 2008-03-06 00:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-05 23:54 . 2008-03-06 00:26 <DIR> d-------- C:\SDFix
2008-03-01 14:18 . 2008-03-02 18:51 894 ---hs---- C:\WINDOWS\system32\syknjfya.ini
2008-03-01 00:56 . 2008-03-01 00:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 00:47 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-01 00:47 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-01 00:46 . 2008-03-01 00:46 <DIR> d-------- C:\Program Files\Sygate
2008-03-01 00:46 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-29 13:41 . 2008-03-01 14:16 654 ---hs---- C:\WINDOWS\system32\ahseucrk.ini
2008-02-28 13:43 . 2008-02-29 13:32 414 ---hs---- C:\WINDOWS\system32\uwgbfbhd.ini
2008-02-27 13:37 . 2008-02-27 17:08 354 ---hs---- C:\WINDOWS\system32\equwtdld.ini
2008-02-25 13:17 . 2008-02-25 13:17 294 ---hs---- C:\WINDOWS\system32\sdykhpsk.ini
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-23 00:38 . 2008-02-23 00:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 00:38 . 2008-02-23 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 02:39 . 2008-02-22 02:39 18 --ah----- C:\SYSREST
2008-02-22 01:31 . 2008-02-22 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 04:31 . 2008-02-21 04:35 58,368 --a------ C:\wpohl.exe
2008-02-21 04:31 . 2008-02-21 04:35 50,176 --a------ C:\arbfikac.exe
2008-02-21 04:22 . 2008-02-21 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-02-20 21:53 . 2008-02-21 04:08 604 --a------ C:\WINDOWS\Wlf.INI
2008-02-20 19:57 . 2008-02-20 19:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-02-20 04:29 . 2008-02-20 04:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-02-17 04:24 . 2008-02-17 04:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-02-17 04:21 . 2008-02-17 04:21 <DIR> d-------- C:\Program Files\Tencent
2008-02-17 04:18 . 2008-02-17 04:18 21 --a------ C:\WINDOWS\atid.ini
2008-02-17 04:16 . 2008-02-17 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-07 19:32 . 2008-02-20 17:57 <DIR> d-------- C:\Program Files\City of Heroes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 16:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2008-03-05 15:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-04 09:40 --------- d-----w C:\Program Files\Steam
2008-03-04 08:47 --------- d-s---w C:\Program Files\Xfire
2008-03-03 20:48 --------- d-----w C:\Program Files\Trillian
2008-02-23 22:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 06:52 --------- d-----w C:\Program Files\Common Files\izok
2008-02-22 07:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 07:31 --------- d-----w C:\Program Files\Lavasoft
2008-02-21 03:53 --------- d-----w C:\Program Files\Activision
2008-02-19 23:57 360,448 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-02-17 11:17 --------- d-----w C:\Program Files\mIRC
2008-02-17 10:24 --------- d-----w C:\Program Files\AIM6
2008-02-17 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-09 04:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-04 07:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-02 05:43 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-02 05:42 --------- d-----w C:\Program Files\eRightSoft
2008-02-02 05:37 --------- d-----w C:\Program Files\Fx Video Converter
2008-02-02 04:27 --------- d-----w C:\Program Files\Common Files\Real
2008-02-02 03:36 3,082 ----a-w C:\WINDOWS\system32\affv9869p2now.sys
2008-02-02 03:26 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2008-02-02 01:48 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-02-02 00:14 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-28 05:27 44,032 ----a-w C:\info.exe
2008-01-27 20:29 --------- d-----w C:\Program Files\vixy.net
2008-01-25 22:49 --------- d-----w C:\Program Files\Future Pinball
2008-01-25 05:42 --------- d-----w C:\Program Files\Blaze Media Pro
2008-01-24 21:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-16 08:25 --------- d-----w C:\Program Files\GUILTY GEAR XX #RELOAD
2008-01-11 12:55 --------- d-----w C:\Program Files\Common Files\DirectX
2008-01-11 06:49 --------- d-----w C:\Program Files\ZC2.10
2008-01-09 11:44 --------- d-----w C:\Program Files\NewsReactor
2008-01-07 10:51 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-07 10:51 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
2003-06-16 04:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvw"="C:\Program Files\Common Files\??stem32\??rss.exe" [ ]
"Notn"="C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 01:33 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-10-10 15:18:57 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsrkbqhw]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bitmeter2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk
backup=C:\WINDOWS\pss\Bitmeter2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^customize__IE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\customize__IE.lnk
backup=C:\WINDOWS\pss\customize__IE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8e1ca44]
C:\WINDOWS\system32\escgepul.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCNT]
C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-10-28 00:55 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen Pro]
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-10-16 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\JavaCore\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
C:\Program Files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2001-07-06 22:56 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-07 01:33 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 17:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 23:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-01-11 03:47 315392 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rhvodyk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 19:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-25 15:52 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 09:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvw]
C:\Program Files\Common Files\??stem32\??rss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
C:\Program Files\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\__Res]
c:\hp\bin\cloaker c:\hp\bin\SetRes\SetRes.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{A8E1CAEB-07CD-1033-0304-031118030001}]
C:\Program Files\Common Files\{A8E1CAEB-07CD-1033-0304-031118030001}\Update.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 06:17:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 00:29:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-06 0:30:08
ComboFix-quarantined-files.txt 2008-03-06 06:29:47
ComboFix2.txt 2008-03-04 06:52:58
.
2007-06-08 07:23:37 --- E O F ---

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 06 March 2008 - 11:01 AM

Posted Image

Please download Malwarebytes' Anti-Malware
Save the program to the Desktop
Close all Windows, including this one. (Print the instructions first)

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts
  • If an update is found, MBAM will download and install the latest.
  • Click OK
At the main program window
  • Make sure the following is checked: Perform Quick Scan
  • Click: Scan (The scan may take some time to finish, so please be patient.)
  • When the scan completes, a message box appears as shown in the image below:
    Posted Image
  • Click OK
At the main Scanner screen:
  • Click on: Show Results
  • A screen displaying the malware found shows as seen in the image below. (Results may be different.)
    Posted Image
  • Make sure everything found is checked, and click: Remove Selected
  • When the disinfection is complete, you may be prompted to Restart. Please do so.
  • When MBAM finishes removing the malware, a log opens in Notepad
  • The log is automatically saved and can be viewed by clicking the Logs tab.
~~~~
Next, run HijackThis once again to obtain a new log.

~~~~
Please provide the MBAM report in your next reply, along with a new HijackThis log.


Also, let us know if you are still having malware problems.

Edited by Aaflac, 06 March 2008 - 11:02 AM.

Old duck...


#7 RDTZ

RDTZ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 06 March 2008 - 03:48 PM

Here's the Mbam log:

Malwarebytes' Anti-Malware 1.07
Database version: 460

Scan type: Quick Scan
Objects scanned: 27618
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\arbfikac.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\wpohl.exe (Backdoor.Rustock) -> Quarantined and deleted successfully.





And here's the new HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:29 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...amp;O=A&UT=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Tvw] "C:\Program Files\Common Files\??stem32\??rss.exe"
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: bsrkbqhw - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5216 bytes




After everything I've done so far, everything seems to be running more normally. My internet browser (Firefox) is still running a little slowly, but other then that, everything seems fine. Thank you very much!

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 06 March 2008 - 09:49 PM

Please download ATF Cleaner

Double-click ATF-Cleaner.exe to run the program
Click Select All
Click: Empty Selected

If you use the Firefox browser click it on the top menu
Next, choose Select All
Click: Empty Selected

NOTE:
If you would like to keep your saved passwords, click 'No' at the prompt.

Click Exit to close the ATF Cleaner program.

~~~~
Now, the main concern is to install an AntiVirus program, and perform a full system scan with the program selected.

There are free AntiVirus programs available:

Grosoft's AVG: Anti-virus Free Edition

avast! 4 Home

AntiVir Personal Edition

Let us know what the AntiVirus program reports.



Also, you need to install a software Firewall!! It provides the ability to restrict malevolent outgoing traffic from your computer.

Some free choices are:

ZoneAlarm

Sunbelt Kerio

OutPost


~~~~
After doing the above, let's see the entries in the Hijack This Uninstall Manager

Please run HijackThis
Select the following buttons in this order: Config > Misc Tools > Open Uninstall Manager

A list of programs in the Add/Remove Programs Manager area is shown
Click: Save, for Notepad to open with the contents of that list.

Please provide the Uninstall List in your reply.

Old duck...


#9 RDTZ

RDTZ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 07 March 2008 - 03:28 AM

Ok, a couple of weird things happened. After I used Avast, this site lost all background graphics. I can see the text fine, at least. And after I downloaded Sunbelt, I couldn't load webpages in Firefox at all. I had to exit the program to get it to work again. Here's my uninstall list:

7-Zip 4.57
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
AGEIA PhysX v7.03.21
AIM 6
AngelPotion Video Codec V1
ArcSoft Picture Software
Audiosurf
avast! Antivirus
BitMeter
Canon ScanGear Toolbox CS 2.2
CDisplay 1.8
DiscJuggler
DLDIrc
Doom 3
easy Internet sign-up
Freedom Security & Privacy
Frets On Fire
GameSpy Arcade
GameTap
GSpot Codec Information Appliance
GUILTY GEAR XX #RELOAD
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Lost Coast
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
hp center
HP Digital Imaging Album Printing 1.0
HP Instant Support
HP Memories Disc
HP Photo and Imaging 1.1 - Photosmart Cameras
ImgBurn (Remove Only)
Inactive HP Printer Drivers (Remove only)
Intel® Extreme Graphics Driver Software
IntelliMover Data Transfer Demo
Java™ 6 Update 2
KBD
Last.fm 1.4.2.58376
Lernout & Hauspie TruVoice American English TTS Engine
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft User-Mode Driver Framework Feature Pack 1.0
MINERVA: Metastasis
mIRC
Mozilla Firefox (2.0.0.12)
MySpaceIM
NVIDIA Drivers
PC-Doctor for Windows
Philips PC Camera
Pirates, Vikings and Knights II Beta 1.1
Portal: The First Slice
Project64 1.6
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickPar 0.9
RecordNow
RecordNow Update Manager
Rhapsody Player Engine
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
ShowBiz
Simple Backup for My Pictures
Simple Installer - Multilanguage Version
Source Dedicated Server
Source SDK Base
Spybot - Search & Destroy
Steam
Sunbelt Personal Firewall
SUPER © Version 2008.bld.24 (Jan 18, 2008)
Sygate Personal Firewall
System Requirements Lab
The Typing of The Dead
Tony Hawk's Underground 2
toolkit
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
vixy converter uninstall
Winamp (remove only)
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WordPerfect Productivity Pack
WordPerfect Productivity Pack
Xfire (remove only)
Zelda Classic 2.10w


Thanks again!

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 07 March 2008 - 10:13 PM

Please go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and, if found, uninstall the following by selecting the entry and clicking on Remove:
Viewpoint Media Player

~~~~
Next, run HijackThis, Scan
Check box for:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/

O20 - Winlogon Notify: bsrkbqhw - C:\WINDOWS\

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Select: Fix checked

~~~~
Open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste the text inside the code box below to Notepad:

File:: 
C:\WINDOWS\system32\syknjfya.ini
C:\WINDOWS\system32\ahseucrk.ini
C:\WINDOWS\system32\uwgbfbhd.ini
C:\WINDOWS\system32\equwtdld.ini
C:\WINDOWS\system32\sdykhpsk.ini
C:\wpohl.exe
C:\arbfikac.exe
C:\WINDOWS\Wlf.INI
C:\WINDOWS\atid.ini
C:\info.exe
C:\WINDOWS\system32\escgepul.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rhvodyk.exe
C:\Program Files\Common Files\{A8E1CAEB-07CD-1033-0304-031118030001}

Folder::
C:\Program Files\Common Files\izok
C:\Program Files\Viewpoint

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvw"=-
"Notn"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsrkbqhw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8e1ca44]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{A8E1CAEB-07CD-1033-0304-031118030001}]


Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply.

Old duck...


#11 RDTZ

RDTZ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 08 March 2008 - 04:50 AM

Here's the Combofix log:

ComboFix 08-03-04.2 - Owner 2008-03-08 3:36:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.197 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\arbfikac.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rhvodyk.exe
C:\info.exe
C:\Program Files\Common Files\{A8E1CAEB-07CD-1033-0304-031118030001}
C:\WINDOWS\atid.ini
C:\WINDOWS\system32\ahseucrk.ini
C:\WINDOWS\system32\equwtdld.ini
C:\WINDOWS\system32\escgepul.dll
C:\WINDOWS\system32\sdykhpsk.ini
C:\WINDOWS\system32\syknjfya.ini
C:\WINDOWS\system32\uwgbfbhd.ini
C:\WINDOWS\Wlf.INI
C:\wpohl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\Program Files\Common Files\izok
C:\Program Files\Common Files\izok\izoka.lck
C:\Program Files\Common Files\izok\izokd\class-barrel
C:\Program Files\Common Files\izok\izokd\vocabulary
C:\Program Files\Common Files\izok\izokl.lck
C:\Program Files\Common Files\izok\izokm.lck
C:\WINDOWS\atid.ini
C:\WINDOWS\system32\ahseucrk.ini
C:\WINDOWS\system32\equwtdld.ini
C:\WINDOWS\system32\sdykhpsk.ini
C:\WINDOWS\system32\syknjfya.ini
C:\WINDOWS\system32\uwgbfbhd.ini
C:\WINDOWS\Wlf.INI

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-07 20:47 . 2008-03-07 20:47 276 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-07 02:15 . 2008-03-07 02:15 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-07 00:26 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-07 00:26 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-07 00:26 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-07 00:26 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-06 14:32 . 2008-03-06 14:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-06 14:32 . 2008-03-06 14:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-06 14:32 . 2008-03-06 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-06 00:05 . 2005-03-02 12:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-06 00:00 . 2008-03-06 00:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-05 23:54 . 2008-03-06 00:26 <DIR> d-------- C:\SDFix
2008-03-01 00:56 . 2008-03-01 00:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 00:47 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-01 00:47 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-01 00:47 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-01 00:46 . 2008-03-01 00:46 <DIR> d-------- C:\Program Files\Sygate
2008-03-01 00:46 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-23 00:38 . 2008-02-23 00:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 00:38 . 2008-02-23 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 02:39 . 2008-02-22 02:39 18 --ah----- C:\SYSREST
2008-02-22 01:31 . 2008-02-22 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 04:22 . 2008-02-21 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-02-20 19:57 . 2008-02-20 19:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-02-20 04:29 . 2008-02-20 04:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-02-17 04:24 . 2008-02-17 04:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-02-17 04:21 . 2008-02-17 04:21 <DIR> d-------- C:\Program Files\Tencent
2008-02-17 04:16 . 2008-02-17 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 09:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2008-03-08 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-07 17:28 --------- d-----w C:\Program Files\Trillian
2008-03-06 10:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-06 07:14 --------- d-s---w C:\Program Files\Xfire
2008-03-06 07:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2008-03-04 09:40 --------- d-----w C:\Program Files\Steam
2008-02-23 22:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 07:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 07:31 --------- d-----w C:\Program Files\Lavasoft
2008-02-21 03:53 --------- d-----w C:\Program Files\Activision
2008-02-20 23:57 --------- d-----w C:\Program Files\City of Heroes
2008-02-19 23:57 360,448 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-02-17 11:17 --------- d-----w C:\Program Files\mIRC
2008-02-17 10:24 --------- d-----w C:\Program Files\AIM6
2008-02-17 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-09 04:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-04 07:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-02 05:43 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-02 05:42 --------- d-----w C:\Program Files\eRightSoft
2008-02-02 05:37 --------- d-----w C:\Program Files\Fx Video Converter
2008-02-02 04:27 --------- d-----w C:\Program Files\Common Files\Real
2008-02-02 03:36 3,082 ----a-w C:\WINDOWS\system32\affv9869p2now.sys
2008-02-02 03:26 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2008-02-02 01:48 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-02-02 00:14 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-27 20:29 --------- d-----w C:\Program Files\vixy.net
2008-01-25 22:49 --------- d-----w C:\Program Files\Future Pinball
2008-01-25 05:42 --------- d-----w C:\Program Files\Blaze Media Pro
2008-01-24 21:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-16 08:25 --------- d-----w C:\Program Files\GUILTY GEAR XX #RELOAD
2008-01-11 12:55 --------- d-----w C:\Program Files\Common Files\DirectX
2008-01-11 06:49 --------- d-----w C:\Program Files\ZC2.10
2008-01-09 11:44 --------- d-----w C:\Program Files\NewsReactor
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
2003-06-16 04:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 01:33 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-10-10 15:18:57 106496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bitmeter2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk
backup=C:\WINDOWS\pss\Bitmeter2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^customize__IE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\customize__IE.lnk
backup=C:\WINDOWS\pss\customize__IE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCNT]
C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-10-28 00:55 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen Pro]
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-10-16 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\JavaCore\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
C:\Program Files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2001-07-06 22:56 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-07 01:33 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 17:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 23:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-01-11 03:47 315392 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 19:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-25 15:52 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 09:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
C:\Program Files\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\__Res]
c:\hp\bin\cloaker c:\hp\bin\SetRes\SetRes.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]
S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:27:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 03:45:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-08 3:48:41
ComboFix-quarantined-files.txt 2008-03-08 09:47:40
ComboFix2.txt 2008-03-06 06:30:09
ComboFix3.txt 2008-03-04 06:52:58
.
2007-06-08 07:23:37 --- E O F ---



And here's the new HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:25 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...amp;O=A&UT=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5791 bytes

Edited by RDTZ, 08 March 2008 - 04:56 AM.


#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 09 March 2008 - 08:31 PM

:thumbsup:

Are you still having malware problems?

Old duck...


#13 RDTZ

RDTZ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 10 March 2008 - 07:34 PM

None whatsoever! My compy's running great now! Thanks for all the help!

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:10 AM

Posted 10 March 2008 - 09:06 PM

Posted Image

If you are not having malware problems, you are good to go!

Please do the following to wrap up:
  • Go to Start then Run
  • Type Combofix /u in the Open box, and click OK. (Notice the space before /u)
  • This command uninstalls ComboFix, implements some cleanup procedures, and resets System Restore points to prevent re-infection from old Restore points.
Posted Image


Also remove the following:
C:\SDFix

~~~~
Some of the best suggestions and programs to remain malware free are contained in Tony Kleinís article:
How Did I Get Infected In The First Place

It is also a very good practice to perform an online virus scan on a regular basis.
Scanners do not have identical malware definitions, and what one misses, another one can catch.
Some of the scanners are:
BitDefender Online Scanner
ESET NOD32 Online Scanner
F-Secure Online Scanner
Panda ActiveScan
TrendMicro HouseCall

~~~~
If you have any questions or comments, post back. Otherwise...

Good luck, safe journey through the Internet!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users