Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Malware Infections


  • Please log in to reply
21 replies to this topic

#1 shinzon9999

shinzon9999

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 06 March 2008 - 05:08 PM

Symptons:
1. Multiple pop up screens when using Internet Explorer to surf the web.
2. Computer running really slow
3. Computer suspected of being infected with multiple malware: TROJ_VUNDO.AJP; TROJ_VUNDO.YEK; TROJ_ZAPCHAST.DM
4. The file nvcoi.exe is suspect.

The user does not have an antivirus program installed on their computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:13 PM, on 05/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kathy\Desktop\hijack_file\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [78033f06] rundll32.exe "C:\WINDOWS\system32\lvxamcux.dll",b
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?41eb280c9d1c4c1187d5f3107a7c6e3e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?41eb280c9d1c4c1187d5f3107a7c6e3e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199493321473
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.audrey1.com/savers/twallpaper1.jpg

--
End of file - 5785 bytes

BC AdBot (Login to Remove)

 


m

#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 07 March 2008 - 11:15 PM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 09 March 2008 - 01:18 PM

Thank you for your help in this matter. I look forward to working with you to resolve this problem.

#4 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 10 March 2008 - 12:13 AM

Hello shinzon9999,

Step 1
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program that has an autoprotect feature on, uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should have an autoprotect feature on at a time.

Step 2
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
For more information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Posted Image


#5 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 11 March 2008 - 01:31 PM

Thanks for the instructions. I will be working on the implementation later today. Hope to have something for you soon. Once again, many thanks for your help.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 12 March 2008 - 02:35 AM

Hi there shinzon9999. I will be dealing with your log from now on; MoNsTeReNeRgY is unavailable. Please proceed with the last set of instructions, but I would also like you to create one more log for me alongside - at the end of the instructions:

Make a list of all the programs installed on your computer:
Open HijackThis
Click the Config... button, then go to the Misc Tools section.
Press Open Uninstall Manager. You'll see a list of programs.
Select Save List... - save it to your Desktop.
The file "uninstall_list.txt" will be created.
Copy and paste the contents of this file to your next reply, along with the requested Combofix and HijackThis logs.

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 12 March 2008 - 02:10 PM

Okay Charles. Thanks.

Here is what has occurred.

1. AVG Anti-Virus Free 7.5 has been downloaded and run.

2. ComboFix has been downloaded and run.

3. Logs for ComboFix and HijackThis posted below.

4. I will provide a list all the programs installed on your computer later tonight or early tomorrow. I appoligize for the delay but I don't have access to that computer at the moment.

Regards,

Shinzon

**************************************************************************

ComboFix 08-03-10.1 - Kathy 2008-03-11 20:30:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -6:00]Running from: C:\Documents and Settings\Kathy\Local Settings\Temporary Internet Files\Content.IE5\ENUHG9IJ\ComboFix[1].exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Temp\1cb
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\system32\fupggjhy.dllbox
C:\WINDOWS\system32\gajfdyoo.ini
C:\WINDOWS\system32\gtbntxjr.ini
C:\WINDOWS\system32\guhrslqa.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\qqqru.ini
C:\WINDOWS\system32\qqqru.ini2
C:\WINDOWS\system32\xucmaxvl.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_NNSERV
-------\NNServ


((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 18:45 . 2008-03-11 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-10 18:41 . 2008-03-10 18:41 <DIR> d-------- C:\Program Files\STOPzilla!
2008-03-10 18:41 . 2008-03-10 18:41 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-03-10 18:41 . 2008-03-11 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-07 10:04 . 2008-03-07 10:04 229,376 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-03-03 14:16 . 2008-03-03 14:16 33,920 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-02-22 14:52 . 2008-02-22 14:52 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-02-22 14:51 . 2008-02-22 14:51 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-02-22 14:51 . 2008-02-22 14:51 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-02-22 14:50 . 2008-02-22 14:50 192,512 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-02-22 14:50 . 2008-02-22 14:50 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-02-22 14:50 . 2008-02-22 14:50 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-02-22 14:49 . 2008-02-22 14:49 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-02-22 14:49 . 2008-02-22 14:49 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-02-22 14:45 . 2008-02-22 14:45 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2008-02-18 19:21 . 2008-02-18 19:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-18 19:19 . 2008-02-25 00:31 <DIR> d-------- C:\Documents and Settings\Kathy\.housecall6.6
2008-02-16 11:20 . 2008-03-11 20:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 11:20 . 2008-02-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-15 06:26 . 2008-02-15 06:26 1,241,420 ---hs---- C:\WINDOWS\system32\refpyvgy.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 17:50 --------- d-----w C:\Program Files\SpywareBot
2008-03-07 23:01 --------- d-----w C:\Documents and Settings\Kathy\Application Data\SpywareBot
2008-02-19 05:07 --------- d-----w C:\Program Files\Dot1XCfg
2008-02-10 02:25 --------- d-----w C:\Documents and Settings\Kathy\Application Data\Grisoft
2008-02-10 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 21:45 --------- d-----w C:\Program Files\Yahoo!
2008-02-03 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-31 16:55 19,568 ----a-w C:\WINDOWS\system32\drivers\spywarebot.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{299806D6-E98A-4B93-A9E5-B6291715FABA}]
C:\Program Files\Online Services\nipy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74ADE211-1325-4F00-82A7-E412A384FC2D}]
C:\WINDOWS\system32\urqqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9229810C-F77F-4AE1-EAB0-FA2E23164897}]
C:\Program Files\Messenger\rybilo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B564ED90-7D37-426B-B2CB-A85B80D35E32}]
C:\Program Files\.\hejuly821058.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D050776A-C1A1-41AB-A53A-BF632A760061}]
C:\Program Files\Online Services\nipy4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-02-04 17:04 6370544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 15:46 709992]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"78033f06"="C:\WINDOWS\system32\lvxamcux.dll" [ ]
"combofix"="C:\WINDOWS\system32\CF4949.exe" [2002-12-31 06:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 06:00 15360]

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-17 18:09:37 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WLAN Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WLAN Utility.lnk
backup=C:\WINDOWS\pss\WLAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kathy^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-12-10 18:02 67184 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 02:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2004-12-30 14:19 120640 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

R0 spywarebot;spywarebot;C:\WINDOWS\system32\DRIVERS\spywarebot.sys [2008-01-31 10:55]
R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-03-03 14:16]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R3 i740;i740;C:\WINDOWS\system32\DRIVERS\i740nt5.sys [2001-08-17 06:49]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 06:11]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 15:46]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 07:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 18:22:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-12 02:06:16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-27 23:20:32 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
"2008-01-16 13:43:17 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job"
- C:\WINDOWS\vVX1000.exe
"2008-03-12 02:46:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 20:48:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-11 20:52:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 02:52:44




**************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:37 PM, on 11/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Kathy\Desktop\hijack_file\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {299806D6-E98A-4B93-A9E5-B6291715FABA} - C:\Program Files\Online Services\nipy83122.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: (no name) - {74ADE211-1325-4F00-82A7-E412A384FC2D} - C:\WINDOWS\system32\urqqq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {9229810C-F77F-4AE1-EAB0-FA2E23164897} - C:\Program Files\Messenger\rybilo.dll (file missing)
O2 - BHO: (no name) - {B564ED90-7D37-426B-B2CB-A85B80D35E32} - C:\Program Files\.\hejuly821058.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D050776A-C1A1-41AB-A53A-BF632A760061} - C:\Program Files\Online Services\nipy4444.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [78033f06] rundll32.exe "C:\WINDOWS\system32\lvxamcux.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?41eb280c9d1c4c1187d5f3107a7c6e3e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?41eb280c9d1c4c1187d5f3107a7c6e3e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199493321473
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://www.audrey1.com/savers/twallpaper1.jpg

--
End of file - 7809 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 12 March 2008 - 05:19 PM

No problem, take your time; I'm not going anywhere.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 12 March 2008 - 09:53 PM

Here is a list of the programs

Active Images Express
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.8
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
Canon i320
Canon Utilities Easy-PhotoPrint
Dealio Toolbar
HijackThis 2.0.2
iPhoto Plus 4
iTunes
J2SE Runtime Environment 5.0 Update 2
LimeWire 4.12.6
LiveUpdate 2.0 (Symantec Corporation)
Mars 97310 CIF
Microsoft LifeCam
Microsoft Office 2000 SR-1 Premium
Nero 6 Enterprise Edition
QuickTime
Scrabble Blast Deluxe
SpywareBot
STOPzilla
Symantec AntiVirus
Tabbed Browsing (Windows Live Toolbar)
TextBridge Classic
Update for Windows XP (KB898461)
Webshots Desktop
Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar MSN Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 March 2008 - 04:50 PM

Hello there,
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {299806D6-E98A-4B93-A9E5-B6291715FABA} - C:\Program Files\Online Services\nipy83122.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: (no name) - {74ADE211-1325-4F00-82A7-E412A384FC2D} - C:\WINDOWS\system32\urqqq.dll (file missing)
O2 - BHO: 0 - {9229810C-F77F-4AE1-EAB0-FA2E23164897} - C:\Program Files\Messenger\rybilo.dll (file missing)
O2 - BHO: (no name) - {B564ED90-7D37-426B-B2CB-A85B80D35E32} - C:\Program Files\.\hejuly821058.dll (file missing)
O2 - BHO: (no name) - {D050776A-C1A1-41AB-A53A-BF632A760061} - C:\Program Files\Online Services\nipy4444.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [78033f06] rundll32.exe "C:\WINDOWS\system32\lvxamcux.dll",b


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer: IMPORTANT.

Then please scan once more with both Hijackthis and Combofix, posting the logs in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 14 March 2008 - 02:23 PM

done.

ComboFix 08-03-13.4 - Kathy 2008-03-13 20:23:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -6:00]
Running from: C:\Documents and Settings\Kathy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-10 18:45 . 2008-03-13 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-10 18:41 . 2008-03-10 18:41 <DIR> d-------- C:\Program Files\STOPzilla!
2008-03-10 18:41 . 2008-03-10 18:41 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-03-10 18:41 . 2008-03-13 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-07 10:04 . 2008-03-07 10:04 229,376 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-03-03 14:16 . 2008-03-03 14:16 33,920 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-02-22 14:52 . 2008-02-22 14:52 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-02-22 14:51 . 2008-02-22 14:51 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-02-22 14:51 . 2008-02-22 14:51 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-02-22 14:50 . 2008-02-22 14:50 192,512 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-02-22 14:50 . 2008-02-22 14:50 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-02-22 14:50 . 2008-02-22 14:50 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-02-22 14:49 . 2008-02-22 14:49 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-02-22 14:49 . 2008-02-22 14:49 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-02-22 14:45 . 2008-02-22 14:45 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2008-02-18 19:21 . 2008-02-18 19:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-18 19:19 . 2008-02-25 00:31 <DIR> d-------- C:\Documents and Settings\Kathy\.housecall6.6
2008-02-16 11:20 . 2008-03-13 20:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 11:20 . 2008-02-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-15 06:26 . 2008-02-15 06:26 1,241,420 ---hs---- C:\WINDOWS\system32\refpyvgy.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 02:19 --------- d-----w C:\Program Files\SpywareBot
2008-03-14 02:19 --------- d-----w C:\Documents and Settings\Kathy\Application Data\SpywareBot
2008-02-19 05:07 --------- d-----w C:\Program Files\Dot1XCfg
2008-02-10 02:25 --------- d-----w C:\Documents and Settings\Kathy\Application Data\Grisoft
2008-02-10 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 21:45 --------- d-----w C:\Program Files\Yahoo!
2008-02-03 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-31 16:55 19,568 ----a-w C:\WINDOWS\system32\drivers\spywarebot.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-02-04 17:04 6370544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 15:46 709992]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 06:00 15360]

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-17 18:09:37 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WLAN Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WLAN Utility.lnk
backup=C:\WINDOWS\pss\WLAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kathy^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-12-10 18:02 67184 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 02:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2004-12-30 14:19 120640 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

R0 spywarebot;spywarebot;C:\WINDOWS\system32\DRIVERS\spywarebot.sys [2008-01-31 10:55]
R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-03-03 14:16]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R3 i740;i740;C:\WINDOWS\system32\DRIVERS\i740nt5.sys [2001-08-17 06:49]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 06:11]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 15:46]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 07:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 18:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-14 02:06:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-27 23:20:32 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
"2008-01-16 13:43:17 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job"
- C:\WINDOWS\vVX1000.exe
"2008-03-14 02:16:07 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 20:29:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 20:31:48
ComboFix-quarantined-files.txt 2008-03-14 02:31:34
ComboFix2.txt 2008-03-12 02:52:57
**************************************************************************
**************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:46 PM, on 13/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kathy\Desktop\hijack_file\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?41eb280c9d1c4c1187d5f3107a7c6e3e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?41eb280c9d1c4c1187d5f3107a7c6e3e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199493321473
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://www.audrey1.com/savers/twallpaper1.jpg

--
End of file - 6228 bytes

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 15 March 2008 - 02:49 PM

Before we continue, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with it and post back the new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 16 March 2008 - 06:44 PM

Windows XP Recovery Console added per your instructions.



ComboFix 08-03-13.4 - Kathy 2008-03-16 15:08:09.3 - NTFSx86
Running from: C:\Documents and Settings\Kathy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-10 18:45 . 2008-03-16 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-10 18:41 . 2008-03-10 18:41 <DIR> d-------- C:\Program Files\STOPzilla!
2008-03-10 18:41 . 2008-03-10 18:41 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-03-10 18:41 . 2008-03-16 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-07 10:04 . 2008-03-07 10:04 229,376 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-03-03 14:16 . 2008-03-03 14:16 33,920 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-02-22 14:52 . 2008-02-22 14:52 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-02-22 14:51 . 2008-02-22 14:51 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-02-22 14:51 . 2008-02-22 14:51 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-02-22 14:50 . 2008-02-22 14:50 192,512 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-02-22 14:50 . 2008-02-22 14:50 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-02-22 14:50 . 2008-02-22 14:50 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-02-22 14:49 . 2008-02-22 14:49 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-02-22 14:49 . 2008-02-22 14:49 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-02-22 14:45 . 2008-02-22 14:45 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2008-02-18 19:21 . 2008-02-18 19:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-18 19:19 . 2008-02-25 00:31 <DIR> d-------- C:\Documents and Settings\Kathy\.housecall6.6
2008-02-16 11:20 . 2008-03-14 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 11:20 . 2008-02-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 02:19 --------- d-----w C:\Program Files\SpywareBot
2008-03-14 02:19 --------- d-----w C:\Documents and Settings\Kathy\Application Data\SpywareBot
2008-02-19 05:07 --------- d-----w C:\Program Files\Dot1XCfg
2008-02-15 12:26 1,241,420 --sh--w C:\WINDOWS\system32\refpyvgy.tmp
2008-02-10 02:25 --------- d-----w C:\Documents and Settings\Kathy\Application Data\Grisoft
2008-02-10 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 21:45 --------- d-----w C:\Program Files\Yahoo!
2008-02-03 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-31 16:55 19,568 ----a-w C:\WINDOWS\system32\drivers\spywarebot.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-02-04 17:04 6370544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 15:46 709992]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 06:00 15360]

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-02-17 18:09:37 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WLAN Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WLAN Utility.lnk
backup=C:\WINDOWS\pss\WLAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kathy^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-12-10 18:02 67184 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 02:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2004-12-30 14:19 120640 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

R0 spywarebot;spywarebot;C:\WINDOWS\system32\DRIVERS\spywarebot.sys [2008-01-31 10:55]
R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-03-03 14:16]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R3 i740;i740;C:\WINDOWS\system32\DRIVERS\i740nt5.sys [2001-08-17 06:49]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 06:11]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 15:46]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 07:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 18:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 21:06:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-27 23:20:32 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
"2008-01-16 13:43:17 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job"
- C:\WINDOWS\vVX1000.exe
"2008-03-16 09:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 15:14:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-16 15:17:02
ComboFix-quarantined-files.txt 2008-03-16 21:16:46
ComboFix2.txt 2008-03-14 02:31:50
ComboFix3.txt 2008-03-12 02:52:57

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 17 March 2008 - 04:57 PM

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

I'd also like some information about how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 shinzon9999

shinzon9999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 March 2008 - 01:29 PM

Charles,

First, many thanks for you held thus far.

Second, the computer is running a lot better these days that to your help. I haven't receive a pop up or anything like that fro several days now. The computer seems to be running slowly than it did previously (before all this mess started).

Lastly, the Panda's Active SCan was run and the incident rport is posted below.


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\0.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\10.qit
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\11.qit
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\13.qit
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\14.qit
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\17.qit
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\3.qit
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\4.qit
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\6.qit
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\7.qit
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Kathy\Application Data\SpywareBot\Quarantine\17-03-2008-04-57-51\9.qit
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kathy\Cookies\kathy@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kathy\Cookies\kathy@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kathy\Cookies\kathy@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kathy\Cookies\kathy@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Kathy\Cookies\kathy@casalemedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Kathy\Cookies\kathy@server.iad.liveperson[1].txt
Spyware:Spyware/7r7t




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users