Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Numerous Viruses. Cannot Get Them Off.


  • This topic is locked This topic is locked
35 replies to this topic

#1 cbm550

cbm550

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 06 March 2008 - 11:48 AM

I have run spybot several times and it identifies numerous entries and can fix most. It asks to run on restart to remove the rest, but the original ones that it removed comes back. I cannot get to my task manager to see the processes that are running. Here is my log. Please help, I cannot do hardly anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:48 AM, on 03/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O1 - Hosts: 64.12.152.18 search.netscape.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {4bb898be-1dd2-11b2-b3a5-a24148125fe2} - C:\WINDOWS\idgholup.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Batco\bat.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BndAero6 IE Helper - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} - C:\Program Files\QdrDrive\QdrDrive11.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: 0 - {C4D95707-174D-4679-F082-D2C2622331D0} - C:\Program Files\Messenger\qucamoc.dll (file missing)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe -startup
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159585097906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 9338 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 06 March 2008 - 02:04 PM

Hello cbm550,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 06 March 2008 - 08:43 PM

O.K., it looks like it is better. Here are the SmitfraudFix and HiJack This logs.


SmitFraudFix v2.300

Scan done at 20:07:54.79, 03/06/2008
Run from C:\Documents and Settings\Krista Hallberg\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{10646E57-2D4C-45FF-89C4-2561998DB29C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{10646E57-2D4C-45FF-89C4-2561998DB29C}: DhcpNameServer=24.197.96.16 24.197.96.15
HKLM\SYSTEM\CS2\Services\Tcpip\..\{10646E57-2D4C-45FF-89C4-2561998DB29C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{10646E57-2D4C-45FF-89C4-2561998DB29C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.197.96.16 24.197.96.15
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:21 PM, on 03/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Batco\bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: 0 - {C4D95707-174D-4679-F082-D2C2622331D0} - C:\Program Files\Messenger\qucamoc.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe -startup
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159585097906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 5789 bytes

#4 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 06 March 2008 - 08:48 PM

I also noticed that when I try and download AdAware, it will go to Download.com and when I click on download now, the pop-up bar will drop down from the top for me to click on to allow pop-ups then disappear before I can click on anything. It will not allow me to go on Major Geeks to get SyGate either. Any Ideas?

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 06 March 2008 - 10:02 PM

Hi cbm550,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 5.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u5-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.



The SmitfraudFix says it did not remove anything? :thumbsup:

Did you run it more than one?

There should be a long lists of deleted files.
I wanted to see the log from the first run of SmitfraudFix.

Edited by SifuMike, 06 March 2008 - 10:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 March 2008 - 08:54 AM

I believe that I ran it more than once and overwrote that file. Sorry. I think that there was a pretty long list on that file. is there any way to recover the old one?

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 07 March 2008 - 12:54 PM

Hi cbm550,

I believe that I ran it more than once and overwrote that file. Sorry. I think that there was a pretty long list on that file. is there any way to recover the old one?



No way to recover the file as you have overlayed it. :thumbsup: It makes the removal process more difficult for me.



Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Batco\bat.dll
O2 - BHO: 0 - {C4D95707-174D-4679-F082-D2C2622331D0} - C:\Program Files\Messenger\qucamoc.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90


*******************************************
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Ebates_MoeMoneyMaker

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, the OTMoveIt2 log, and tell me how your computer is running.

Edited by SifuMike, 07 March 2008 - 12:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 March 2008 - 09:55 PM

It is running better. However, on the startup, the icons are slow to load. I went into msconfig and disabled all startup items. Here is the OTMoveIt2 log and the new HiJackThis log. Thanks for your patience and help. :thumbsup:





C:\Program Files\Ebates_MoeMoneyMaker\Da350 moved successfully.
C:\Program Files\Ebates_MoeMoneyMaker moved successfully.

OTMoveIt2 v1.0.20 log created on 03072008_214112


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:36 PM, on 03/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe -startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159585097906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 5381 bytes

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 07 March 2008 - 10:00 PM

Hi cbm550,

You may have some malware still lurking.

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter.
When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.

Now please create a new Hijackthis Log and post it as a reply.

Did you put these in your trusted zone? I personally remove all entries from the Trusted Zone as they are ultimately unnecessary to be there.

O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90


Edited by SifuMike, 07 March 2008 - 10:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 March 2008 - 05:53 AM

The entries that you said to add to the trusted zone were already there as the first ones on the list. I did not know that you could clear that list. I always disable all in the startup list. Is that a good practice? There only seems to be just junk that slows the startup process. :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:00 AM, on 03/08/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe
C:\Program Files\WinFixer\wfxcwr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Batco\X_bat.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe -startup
O4 - HKLM\..\Run: [WinPerformance] C:\Program Files\WinPerformance\WinPerformance.lnk
O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
O4 - HKLM\..\Run: [WinFixer] C:\Program Files\WinFixer\wwfx5.exe /min
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [srcbktcn] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\srcbktcn.dll"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RebateNation0] "C:\Program Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SysProtect Free] "C:\Program Files\SysProtect Free\USYP.exe" /scan
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\WinFixer\AdwareProtector.exe
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Batco\bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159585097906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11025 bytes

Edited by cbm550, 08 March 2008 - 10:43 AM.


#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 08 March 2008 - 12:33 PM

Hi cbm550,

I always disable all in the startup list. Is that a good practice? There only seems to be just junk that slows the startup process.



Not a good idea to disable everything. :thumbsup: If you do that then will disable your antivirus, firewall, printer and other essental programs.
You should diable only those program that you are not needed to run at startup. You need your antivirus, firewall and printer to be active all the time.
I suggest you look up the startup items with Google and see what they do before you any of them disable them.



You are still heavily infected, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 March 2008 - 02:30 PM

Here is the ComboFix log. :thumbsup: This is a real job on this computer. :blink:


ComboFix 08-03-07.4 - Krista Hallberg 2008-03-08 14:02:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.100 [GMT -5:00]
Running from: C:\Documents and Settings\Krista Hallberg\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 13:38 . 2008-03-08 13:38 <DIR> d-------- C:\ComboFix[1]
2008-03-08 09:57 . 2008-03-08 09:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-03-08 09:57 . 2008-03-08 09:57 <DIR> d-------- C:\WINDOWS\l2schemas
2008-03-08 09:50 . 2008-02-12 03:13 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-03-08 09:47 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005484_.tmp
2008-03-08 09:32 . 2008-03-08 09:32 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-03-08 09:32 . 2008-03-08 09:32 <DIR> d-------- C:\Program Files\Windows Media Player Filter
2008-03-08 09:32 . 2006-05-04 16:47 172,032 --a------ C:\WINDOWS\SYSTEM32\H264VDEC.dll
2008-03-08 09:32 . 2006-03-08 11:14 131,072 --a------ C:\WINDOWS\SYSTEM32\Mpeg4SrcFlt.ax
2008-03-08 09:32 . 2003-04-09 16:32 106,496 --a------ C:\WINDOWS\SYSTEM32\Mpeg4null.ax
2008-03-08 09:32 . 2003-03-26 14:49 90,112 --a------ C:\WINDOWS\SYSTEM32\HIKM4DEC.dll
2008-03-08 09:32 . 2006-05-04 16:50 69,632 --a------ C:\WINDOWS\SYSTEM32\Mpeg4DecV4C.ax
2008-03-08 09:32 . 2006-05-04 16:47 69,632 --a------ C:\WINDOWS\SYSTEM32\Mpeg4DecV.ax
2008-03-08 09:32 . 2006-03-08 11:17 61,440 --a------ C:\WINDOWS\SYSTEM32\Mpeg4Splitter.ax
2008-03-08 09:32 . 2006-03-08 13:36 53,248 --a------ C:\WINDOWS\SYSTEM32\Mpeg4DecA.ax
2008-03-08 09:32 . 2003-03-26 14:53 49,152 --a------ C:\WINDOWS\SYSTEM32\G722ADEC.dll
2008-03-08 09:32 . 2003-03-26 16:38 49,152 --a------ C:\WINDOWS\SYSTEM32\BSPVDEC.dll
2008-03-08 09:27 . 2008-03-08 09:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-08 09:19 . 2008-03-08 09:31 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-03-08 09:18 . 2008-03-08 09:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-03-08 09:18 . 2008-03-08 09:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-03-08 09:11 . 2008-03-08 09:11 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-07 21:43 . 2008-03-07 21:43 <DIR> d-------- C:\Program Files\CCleaner
2008-03-07 21:41 . 2008-03-07 21:41 <DIR> d-------- C:\_OTMoveIt
2008-03-07 21:35 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-07 21:33 . 2008-03-07 21:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-06 20:59 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2008-03-06 20:59 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2008-03-06 20:59 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2008-03-06 20:59 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2008-03-06 20:59 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2008-03-06 20:59 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2008-03-06 20:59 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2008-03-06 20:58 . 2008-03-06 20:58 <DIR> d-------- C:\Program Files\Sygate
2008-03-06 20:57 . 2008-03-06 20:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-06 20:51 . 2008-03-06 20:56 <DIR> d-------- C:\Documents and Settings\Krista Hallberg\Application Data\GetRightToGo
2008-03-06 20:04 . 2003-11-19 23:24 <DIR> d-------- C:\Documents and Settings\Administrator.HALLBERG\Application Data\Sonic
2008-03-06 20:04 . 2005-05-24 10:24 <DIR> d-------- C:\Documents and Settings\Administrator.HALLBERG\Application Data\Gtek
2008-03-06 19:56 . 2008-03-06 20:08 1,734 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-05 17:50 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-05 17:47 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enmcvnbvdfjw.sys
2008-03-05 17:36 . 2008-03-05 17:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 17:31 . 2008-03-05 19:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-05 17:31 . 2008-03-05 17:31 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-05 17:31 . 2008-03-05 17:31 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-05 17:31 . 2008-03-05 17:31 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-05 14:32 . 2008-03-05 14:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-05 13:59 . 2008-03-05 13:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-05 13:59 . 2008-03-05 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 13:57 . 2008-03-05 13:57 <DIR> d-------- C:\Documents and Settings\Krista Hallberg\Application Data\U3
2008-03-02 12:50 . 2008-03-02 12:50 <DIR> d-------- C:\WINDOWS\hsccgaqu
2008-03-02 12:50 . 2008-03-07 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-02 12:50 . 2008-03-02 12:50 3,802,742 --a------ C:\WINDOWS\Skww90G9c1.exe
2008-03-02 12:50 . 2008-03-02 12:50 189,440 --a------ C:\WINDOWS\snczizsb.dll
2008-03-02 12:50 . 2008-03-02 12:50 89,105 --a------ C:\WINDOWS\wvufuhmh.exe
2008-03-02 12:50 . 2008-03-02 12:50 43,520 --a------ C:\WINDOWS\hclebqrc.exe
2008-03-02 12:49 . 2008-03-05 18:24 <DIR> d-------- C:\Program Files\Batco
2008-03-02 12:49 . 2008-01-25 20:01 385,024 --a------ C:\WINDOWS\SYSTEM32\WinNB57.dll
2008-02-29 19:26 . 2008-03-08 10:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 19:26 . 2008-02-29 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 19:22 . 2008-02-29 19:22 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-02-21 16:43 . 2008-02-21 16:44 <DIR> d-------- C:\Program Files\Ultimate Duck Hunting
2008-02-21 16:37 . 2008-03-06 20:51 <DIR> d-------- C:\Downloads
2008-02-21 16:19 . 2008-02-21 16:19 <DIR> d-------- C:\Program Files\Oquirrh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 19:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-08 02:35 --------- d-----w C:\Program Files\Java
2008-03-05 23:34 --------- d-----w C:\Program Files\Symantec
2008-03-05 21:39 --------- d-----w C:\Program Files\WinFixer
2008-03-05 21:38 --------- d-----w C:\Program Files\Yahoo!
2008-03-05 21:18 --------- d-----w C:\Program Files\Google
2008-03-01 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 00:24 --------- d-----w C:\Program Files\QuickTime
2008-03-01 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-01 00:23 --------- d-----w C:\Program Files\Kodak
2008-02-12 21:04 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-02-12 19:59 997,376 ----a-w C:\WINDOWS\SYSTEM32\msgina.dll
2008-02-12 19:58 98,304 ----a-w C:\WINDOWS\SYSTEM32\actxprxy.dll
2008-02-12 19:57 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-02-12 19:55 3,072 ----a-w C:\WINDOWS\SYSTEM32\dpnlobby.dll
2008-02-12 19:55 3,072 ----a-w C:\WINDOWS\SYSTEM32\dpnaddr.dll
2008-02-12 19:55 285,696 ----a-w C:\WINDOWS\SYSTEM32\atmfd.dll
2008-02-12 19:55 16,896 ----a-w C:\WINDOWS\SYSTEM32\cfgmgr32.dll
2008-02-12 16:32 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-02-12 15:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-02-12 15:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-02-12 15:20 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-02-12 15:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-02-12 15:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-02-12 15:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-02-12 15:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-02-12 15:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-02-12 09:05 1,843,968 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-02-12 09:04 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-02-12 09:04 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-02-12 08:56 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-02-12 08:54 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-02-12 08:53 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-02-12 08:53 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-02-12 08:53 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-02-12 08:53 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-02-12 08:52 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-02-12 08:52 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-02-12 08:52 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-02-12 08:52 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-02-12 08:51 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-02-12 08:50 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-02-12 08:50 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-02-12 08:33 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-12 08:31 15,104 ----a-w C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-12 08:21 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-02-12 08:21 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-02-12 08:21 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-02-12 08:19 59,520 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
2008-02-12 08:19 36,864 ----a-w C:\WINDOWS\system32\drivers\hidclass.sys
2008-02-12 08:19 32,128 ----a-w C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-12 08:19 30,208 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
2008-02-12 08:19 25,728 ----a-w C:\WINDOWS\system32\drivers\usbcamd2.sys
2008-02-12 08:19 25,600 ----a-w C:\WINDOWS\system32\drivers\usbcamd.sys
2008-02-12 08:19 24,960 ----a-w C:\WINDOWS\system32\drivers\hidparse.sys
2008-02-12 08:19 20,608 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
2008-02-12 08:19 19,200 ------w C:\WINDOWS\system32\drivers\hidir.sys
2008-02-12 08:19 15,872 ----a-w C:\WINDOWS\system32\drivers\usbintel.sys
2008-02-12 08:19 143,872 ----a-w C:\WINDOWS\system32\drivers\usbport.sys
2008-02-12 08:19 10,368 ----a-w C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-12 08:17 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-02-12 08:17 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-02-12 08:17 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-02-12 08:17 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-02-12 08:17 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-02-12 08:17 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-02-12 08:17 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-02-12 08:17 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-02-12 08:16 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-02-12 08:16 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-02-12 08:16 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-02-12 08:16 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-02-12 08:15 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-02-12 08:15 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-02-12 08:14 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-02-12 08:14 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-02-12 08:14 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-02-12 08:14 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-02-12 08:12 80,128 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-02-12 08:10 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-02-12 08:09 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-02-12 08:08 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-02-12 08:07 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
2008-02-12 08:07 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys
2008-02-12 08:07 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys
2008-02-12 08:07 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys
2008-02-12 08:07 180,608 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2008-02-12 08:07 129,792 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
2008-02-12 08:06 92,288 ----a-w C:\WINDOWS\system32\drivers\ksecdd.sys
2008-02-12 08:05 7,424 ----a-w C:\WINDOWS\SYSTEM32\kd1394.dll
2008-02-12 08:05 61,440 ----a-w C:\WINDOWS\SYSTEM32\msvcrt40.dll
2008-02-12 08:05 42,752 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-02-12 08:05 37,760 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-02-12 08:05 37,376 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-02-12 08:05 36,736 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-02-12 08:05 36,352 ------w C:\WINDOWS\system32\drivers\intelppm.sys
2008-02-12 08:05 35,840 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-02-12 08:05 2,065,792 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2008-02-12 07:48 79,872 ------w C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-02-12 07:48 79,872 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2006-11-09 19:38 1,380,212 --sh--w C:\WINDOWS\Fonts\cvmsyke.bak1
2006-11-29 00:17 948,160 --sh--w C:\WINDOWS\Fonts\cvmsyke.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 07:18 307200]
"SysProtect Free"="C:\Program Files\SysProtect Free\USYP.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]
"Sonic RecordNow!"="" []
"Registry Cleaner"="C:\Program Files\Registry Cleaner\RegClean.exe" [ ]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-02-12 14:59 1695232]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360]
"AdwareProtector"="C:\Program Files\WinFixer\AdwareProtector.exe" [ ]
"PTRUN32"="C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe" [2005-06-28 14:31 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"ptrun32"="C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe" [2005-08-01 01:29 905216]
"WinFixer helper"="C:\Program Files\WinFixer\wfxcwr.exe" [2005-11-22 12:58 94208]
"WinFixer"="C:\Program Files\WinFixer\wwfx5.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01 155648]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"RebateNation0"="C:\Program Files\Rebate_Nation\RebateNation0.exe" [2004-10-14 14:37 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-04-24 17:58 4616192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [ ]
"MDNS"="C:\WINDOWS\system32\service.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 18:00 86102]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-02-12 14:59 169984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-05-21 22:24:51 200704]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26 282624]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 14:29:20 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R0 _wff;_wff;C:\WINDOWS\system32\drivers\_wff.sys [2005-09-20 15:19]
S0 wasfsd;wasfsd;C:\WINDOWS\system32\drivers\wasfsd.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 00:19:07 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-03-08 02:21:39 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Krista Hallberg.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 14:08:23
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-08 14:11:39
ComboFix-quarantined-files.txt 2008-03-08 19:11:06
ComboFix2.txt 2008-03-06 18:07:01
.
2008-02-13 08:08:25 --- E O F ---

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 08 March 2008 - 02:51 PM

Hi cbm550,


I see you have run ComboFix two days ago.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


I need to see the ComboFix log from the first time you ran it.

Please post ComboFix2.txt 2008-03-06 18:07:01

Thanks.

Edited by SifuMike, 08 March 2008 - 03:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 March 2008 - 03:42 PM

Here is ComboFix2. Thanks.

ComboFix 08-03-03.15 - Krista Hallberg 2008-03-06 12:49:49.1 - NTFSx86
Running from: C:\Documents and Settings\Krista Hallberg\Local Settings\Temporary Internet Files\Content.IE5\MR1ADE5Y\Combo-Fix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\srcbktcn.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\Krista Hallberg\Application Data\winantiviruspro2006freeinstall[1].exe
C:\Documents and Settings\Krista Hallberg\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Krista Hallberg\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Krista Hallberg\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\ComPlus Applications\meqos555077.dll
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive11.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack13.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\TBONAS
C:\Program Files\vsadd-in
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\winperformance
C:\Program Files\winperformance\uninstall.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\idgholup.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\Skww90G9c1wp.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\KVIF_7.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\ncase.ini
C:\WINDOWS\system32\sahagent1006.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK


((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 17:50 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-05 17:47 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enmcvnbvdfjw.sys
2008-03-05 17:36 . 2008-03-05 17:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 17:31 . 2008-03-05 19:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-05 17:31 . 2008-03-05 17:31 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-05 17:31 . 2008-03-05 17:31 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-05 17:31 . 2008-03-05 17:31 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-05 14:32 . 2008-03-05 14:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-05 13:59 . 2008-03-05 13:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-05 13:59 . 2008-03-05 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 13:57 . 2008-03-05 13:57 <DIR> d-------- C:\Documents and Settings\Krista Hallberg\Application Data\U3
2008-03-02 12:50 . 2008-03-02 12:50 <DIR> d-------- C:\WINDOWS\hsccgaqu
2008-03-02 12:50 . 2008-03-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-02 12:50 . 2008-03-02 12:50 3,802,742 --a------ C:\WINDOWS\Skww90G9c1.exe
2008-03-02 12:50 . 2008-03-02 12:50 189,440 --a------ C:\WINDOWS\snczizsb.dll
2008-03-02 12:50 . 2008-03-02 12:50 89,105 --a------ C:\WINDOWS\wvufuhmh.exe
2008-03-02 12:50 . 2008-03-02 12:50 89,099 --a------ C:\WINDOWS\SYSTEM32\mgmrwmrv.exe
2008-03-02 12:50 . 2008-03-02 12:50 43,520 --a------ C:\WINDOWS\hclebqrc.exe
2008-03-02 12:50 . 2008-03-02 12:50 4 --a------ C:\WINDOWS\SYSTEM32\winfrun32.bin
2008-03-02 12:49 . 2008-03-05 18:24 <DIR> d-------- C:\Program Files\Batco
2008-03-02 12:49 . 2008-01-25 20:01 385,024 --a------ C:\WINDOWS\SYSTEM32\WinNB57.dll
2008-02-29 19:26 . 2008-03-05 08:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 19:26 . 2008-02-29 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 19:22 . 2008-02-29 19:22 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-02-21 16:43 . 2008-02-21 16:44 <DIR> d-------- C:\Program Files\Ultimate Duck Hunting
2008-02-21 16:37 . 2008-02-21 16:42 <DIR> d-------- C:\Downloads
2008-02-21 16:19 . 2008-02-21 16:19 <DIR> d-------- C:\Program Files\Oquirrh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 23:34 --------- d-----w C:\Program Files\Symantec
2008-03-05 23:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 21:39 --------- d-----w C:\Program Files\WinFixer
2008-03-05 21:38 --------- d-----w C:\Program Files\Yahoo!
2008-03-05 21:18 --------- d-----w C:\Program Files\Google
2008-03-01 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 00:24 --------- d-----w C:\Program Files\QuickTime
2008-03-01 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-01 00:23 --------- d-----w C:\Program Files\Kodak
2008-02-08 22:38 --------- d-----w C:\Documents and Settings\Krista Hallberg\Application Data\LimeWire
2008-01-25 02:08 81 ----a-w C:\CTX.DAT
2008-01-09 14:16 --------- d-----w C:\Documents and Settings\Krista Hallberg\Application Data\AdobeUM
2006-11-09 19:38 1,380,212 --sh--w C:\WINDOWS\Fonts\cvmsyke.bak1
2006-11-29 00:17 948,160 --sh--w C:\WINDOWS\Fonts\cvmsyke.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-02-04 11:33 401408 --a------ C:\Program Files\Batco\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4D95707-174D-4679-F082-D2C2622331D0}]
C:\Program Files\Messenger\qucamoc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PTRUN32"="C:\WINDOWS\SYSTEM32\ptrun32\ptr32w.exe" [2005-06-28 14:31 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"ptrun32"="C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe" [2005-08-01 01:29 905216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Krista Hallberg^Start Menu^Programs^Startup^Bat - Auto Update.lnk]
path=C:\Documents and Settings\Krista Hallberg\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareProtector]
C:\Program Files\WinFixer\AdwareProtector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-22 22:19 52840 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
--a------ 2003-02-17 18:00 86102 C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 02:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-12-20 20:54 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDNS]
C:\WINDOWS\system32\service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-04-24 17:58 4616192 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTRUN32]
--a------ 2005-08-01 01:29 905216 C:\WINDOWS\SYSTEM32\ptrun32\ptrun32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule13]
C:\Program Files\QdrModule\QdrModule13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack13]
C:\Program Files\QdrPack\QdrPack13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RebateNation0]
--a------ 2004-10-14 14:37 98304 C:\Program Files\Rebate_Nation\RebateNation0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\Program Files\Registry Cleaner\RegClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]
C:\Program Files\SpyKiller\spykiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srcbktcn]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\srcbktcn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 02:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysProtect Free]
C:\Program Files\SysProtect Free\USYP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 07:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFixer]
C:\Program Files\WinFixer\wwfx5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFixer helper]
--a------ 2005-11-22 12:58 94208 C:\Program Files\WinFixer\wfxcwr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPerformance]
C:\Program Files\WinPerformance\WinPerformance.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R0 _wff;_wff;C:\WINDOWS\system32\drivers\_wff.sys [2005-09-20 15:19]
S0 wasfsd;wasfsd;C:\WINDOWS\system32\drivers\wasfsd.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 00:19:07 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16
"2008-03-01 01:01:53 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Krista Hallberg.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 13:01:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-06 13:07:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 18:06:55
.
2008-02-13 08:08:25 --- E O F ---

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:23 PM

Posted 08 March 2008 - 08:30 PM

Hi cbm550,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\snczizsb.dll
C:\WINDOWS\wvufuhmh.exe
C:\WINDOWS\hclebqrc.exe
C:\WINDOWS\Skww90G9c1.exe
C:\Program Files\WinFixer\wfxcwr.exe 
C:\Program Files\WinFixer\wwfx5.exe
C:\Program Files\SysProtect Free\USYP.exe
C:\WINDOWS\Fonts\cvmsyke.bak1
C:\WINDOWS\Fonts\cvmsyke.bak2
C:\WINDOWS\system32\drivers\wasfsd.sys 

Folder:: 
C:\Program Files\Batco
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\hsccgaqu
C:\Program Files\SpyKiller
C:\Program Files\WinFixer
C:\Program Files\SysProtect Free
C:\Program Files\webHancer

Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFixer helper"=-  
"WinFixer"=-  
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"=-  
"SysProtect Free"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]

Driver:: 
wasfsd


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 08 March 2008 - 08:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users