Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log After Braviax.exe And Final Cleanup With Combofix


  • This topic is locked This topic is locked
14 replies to this topic

#1 skipower

skipower

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 13 March 2008 - 07:20 PM

What do you see left over?

Problem was bad enough that HijackThis, Spybot, and AdAware would not even open to try for scanning. This log is after multiple scans.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:56 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROTEC~1\PPTbc.EXE
C:\PROTEC~1\PPInupdt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\WWF\Desktop\DIManager6.exe
C:\Program Files\StickIt\StickIt3.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Weather Watcher\ww.exe
C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Protector Plus\POPSCAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - C:\WINDOWS\system32\mljgh.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto
O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O20 - Winlogon Notify: ddcbaxu - ddcbaxu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9768 bytes

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 13 March 2008 - 08:37 PM

Hello Wayne

Welcome to the Bleeping Computer Malware Removal Forum Before we proceed, you need to disable all your Anti Spyware software as it will interfere with the fix.

Shut down Ad Aware and the TeaTimer in Spybot Search and Destroy.


Do this first...Important


Disable the TeaTimer, you can re enable it when were done if you wish
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect



You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.

To Disable AdWatch
  • Open Ad-Aware SE Personal
  • Go to the AdWatch User Interface.
  • Go to Tools and Preferences.
  • At the bottom of the screen you will see 2 options
  • Active: This will turn Ad-Watch On\Off without closing it.
  • Automatic: Suspicious activity will be blocked automatically
  • Uncheck both options.
You should enable these after resolving your problem.





Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - C:\WINDOWS\system32\mljgh.dll (file missing)

O20 - Winlogon Notify: ddcbaxu - ddcbaxu.dll (file missing)






Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.



Now drag your copy of Combofix to the trash and grab a fresh copy as its updated on a regular basis and run it this way.

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.


Run the programs in the order I posted them and then post the log for Malwarebytes , Combofix and a New HJT log.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 skipower

skipower
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 13 March 2008 - 09:57 PM

Here are the results....Excellent directions, by the way!


Malwarebytes' Anti-Malware 1.08
Database version: 489

Scan type: Quick Scan
Objects scanned: 31182
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Casino (Adware.Casino) -> Quarantined and deleted successfully.

Files Infected:
C:\cysdos.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ffdcahl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\fsavfpk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\onhtp.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\rsvlqer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\WWF\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-03-13.4 - WWF 2008-03-13 22:45:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1517 [GMT -4:00]
Running from: C:\Documents and Settings\WWF\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\WWF\Application Data\Malwarebytes
2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-13 15:54 . 2008-03-13 15:54 <DIR> d-------- C:\VundoFix Backups
2008-03-13 15:04 . 2008-03-13 15:04 <DIR> d-------- C:\Program Files\CCleaner
2008-03-13 12:56 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-13 11:51 . 2008-03-13 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 11:06 . 2008-03-13 11:06 19,757 --a------ C:\Documents and Settings\All Users\Application Data\ifijoqipim.dat
2008-03-13 11:06 . 2008-03-13 11:06 18,700 --a------ C:\WINDOWS\system32\ufadycuzav.bat
2008-03-13 11:06 . 2008-03-13 11:06 15,592 --a------ C:\Documents and Settings\WWF\Application Data\byrorex.vbs
2008-03-13 11:06 . 2008-03-13 11:06 12,101 --a------ C:\Documents and Settings\All Users\Application Data\ahav.sys
2008-03-13 08:24 . 2008-03-13 08:24 17,869 --a------ C:\Documents and Settings\All Users\Application Data\anuq.bat
2008-03-13 08:24 . 2008-03-13 08:24 16,606 --a------ C:\Documents and Settings\All Users\Application Data\olirelam.bat
2008-03-13 08:24 . 2008-03-13 08:24 14,684 --a------ C:\Documents and Settings\All Users\Application Data\exokyz.vbs
2008-03-10 13:55 . 2008-03-10 13:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 13:55 . 2008-03-10 13:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 19:12 . 2008-02-29 19:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-29 19:12 . 2008-02-29 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 12:02 . 2008-02-19 09:59 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-19 12:02 . 2008-02-19 12:02 3,440 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 20:30 --------- d-----w C:\Program Files\StickIt
2008-03-13 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-13 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 12:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-09 19:19 --------- d-----w C:\Program Files\Weather Watcher
2008-03-03 12:29 --------- d-----w C:\Documents and Settings\WWF\Application Data\WeatherWatcher
2008-03-02 23:10 --------- d-----w C:\Program Files\WinTV
2008-02-29 23:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 23:00 --------- d-----w C:\Documents and Settings\WWF\Application Data\Lavasoft
2008-02-18 13:51 --------- d-----w C:\Program Files\R-RAM
2008-02-16 20:51 --------- d-----w C:\Program Files\Google
2008-02-12 17:05 --------- d-----w C:\Program Files\Windows Media Components
2008-02-12 16:22 55,949 ----a-w C:\WINDOWS\system32\x264-uninstall.exe
2008-02-12 16:20 --------- d-----w C:\Program Files\MediaCoder
2008-02-12 15:58 --------- d-----w C:\Program Files\AVIcodec
2008-02-12 14:35 --------- d-----w C:\Program Files\WMV9_VCM
2008-02-12 13:17 --------- d-----w C:\Program Files\NewzToolz
2008-01-31 23:21 --------- d-----w C:\Documents and Settings\WWF\Application Data\StickIt
2008-01-30 17:04 4,444 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 05:08 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-01-16 05:08 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-12-30 16:08 8 --sha-r C:\WINDOWS\system32\35B06C7836.sys
2006-10-10 12:59 88 --sha-r C:\WINDOWS\system32\DD697E2326.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-13_16.22.52.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-13 20:11:51 63,016 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-14 02:36:18 63,418 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 20:11:51 402,406 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-14 02:36:18 402,974 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 05:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"DIManager"="C:\Documents and Settings\WWF\Desktop\DIManager6.exe" [2006-09-05 14:19 1588736]
"StickIt"="C:\Program Files\StickIt\StickIt3.exe" [2007-08-02 00:02 319488]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2008-01-22 23:18 1028096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 11:51 57344]
"MBMon"="CTMBHA.DLL" [2006-03-03 04:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 10:13 1126400]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51 49152]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-10-27 16:48 507904]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320]
"Protector Plus Taskbar Control"="C:\PROTEC~1\PPTbc.EXE" [2007-04-23 10:34 1160104]
"Protector Plus InstaUpdate"="C:\PROTEC~1\PPInupdt.exe" [2007-04-23 10:34 1151912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192]
"PDUiP6700DMon"="C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-03-16 14:47 61440]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 01:50 1603152]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-02-22 13:00 49152 c:\dell\E-Center\gtb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-03-03 10:33 51184 C:\Documents and Settings\WWF\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTAReg]
--------- 2005-10-21 17:39 512094 C:\Program Files\Creative\Sound Blaster Audigy ADVANCED MB\Product Registration\English\HTAReg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReleaseRAM]
C:\Program Files\R-RAM\RRAM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1535.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"C:\\Program Files\\StickIt\\StickIt3.exe"=

R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;"C:\Protector Plus\PPAVMon.exe" [2007-04-23 10:34]
R2 ProtectorPlusService;Protector Plus Service;"C:\Protector Plus\PPServ.exe" [2007-04-23 10:34]
R3 hcwAVD2;Hauppauge PVR USB2 AVS Video Capture;C:\WINDOWS\system32\drivers\HCWUSB2AV.sys [2007-02-27 16:40]
R3 PPDrv;Protector Plus Driver;C:\Protector Plus\PPDrv.sys [2007-04-23 10:34]
R3 PPEMSCAN;Protector Plus Email Scan Driver;C:\Protector Plus\PPEMSCAN.sys [2007-04-23 10:34]
S1 guntest;guntest;C:\WINDOWS\Help\guntest.chm []
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 16:30]
S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9cae688-b498-11dc-8087-0015c51ec285}]
\Shell\AutoRun\command - "K:\Install FreeAgent Tools.exe" /run

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 22:46:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\guntest]
"ImagePath"="\??\C:\WINDOWS\Help\guntest.chm"
.
Completion time: 2008-03-13 22:46:58
ComboFix-quarantined-files.txt 2008-03-14 02:46:56
ComboFix2.txt 2008-03-13 20:41:23
ComboFix3.txt 2008-03-13 20:23:17


---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:46 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROTEC~1\PPTbc.EXE
C:\PROTEC~1\PPInupdt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\WWF\Desktop\DIManager6.exe
C:\Program Files\StickIt\StickIt3.exe
C:\Program Files\Weather Watcher\ww.exe
C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Protector Plus\POPSCAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto
O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9016 bytes

#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 14 March 2008 - 05:50 AM

Good Morning Wayne,

It looks like Vundo is gone but you have another issue we need to fix.

C:\WINDOWS\System32\svchost.exe <-- This is legit , your computer won't run without it but svchost.exe running anyplace else is a virus.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\mrofinu1535.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by ken545, 14 March 2008 - 05:50 AM.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 skipower

skipower
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 14 March 2008 - 07:42 AM

Hi Ken,

FYI.....after Defrag last night and restart, the following showed up again:

O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - (no file)


After following your directions about script and ComboFix, here are the results:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-03-13.4 - WWF 2008-03-14 8:31:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT -4:00]
Running from: C:\Documents and Settings\WWF\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\WWF\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\drivers\svchost.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\WWF\Application Data\Malwarebytes
2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-13 15:54 . 2008-03-13 15:54 <DIR> d-------- C:\VundoFix Backups
2008-03-13 15:04 . 2008-03-13 15:04 <DIR> d-------- C:\Program Files\CCleaner
2008-03-13 12:56 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-13 11:51 . 2008-03-13 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 11:06 . 2008-03-13 11:06 19,757 --a------ C:\Documents and Settings\All Users\Application Data\ifijoqipim.dat
2008-03-13 11:06 . 2008-03-13 11:06 18,700 --a------ C:\WINDOWS\system32\ufadycuzav.bat
2008-03-13 11:06 . 2008-03-13 11:06 15,592 --a------ C:\Documents and Settings\WWF\Application Data\byrorex.vbs
2008-03-13 11:06 . 2008-03-13 11:06 12,101 --a------ C:\Documents and Settings\All Users\Application Data\ahav.sys
2008-03-13 08:24 . 2008-03-13 08:24 17,869 --a------ C:\Documents and Settings\All Users\Application Data\anuq.bat
2008-03-13 08:24 . 2008-03-13 08:24 16,606 --a------ C:\Documents and Settings\All Users\Application Data\olirelam.bat
2008-03-13 08:24 . 2008-03-13 08:24 14,684 --a------ C:\Documents and Settings\All Users\Application Data\exokyz.vbs
2008-03-10 13:55 . 2008-03-10 13:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 13:55 . 2008-03-10 13:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 19:12 . 2008-02-29 19:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-29 19:12 . 2008-02-29 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 12:02 . 2008-02-19 09:59 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-19 12:02 . 2008-02-19 12:02 3,440 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 20:30 --------- d-----w C:\Program Files\StickIt
2008-03-13 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-13 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 12:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-09 19:19 --------- d-----w C:\Program Files\Weather Watcher
2008-03-03 12:29 --------- d-----w C:\Documents and Settings\WWF\Application Data\WeatherWatcher
2008-03-02 23:10 --------- d-----w C:\Program Files\WinTV
2008-02-29 23:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 23:00 --------- d-----w C:\Documents and Settings\WWF\Application Data\Lavasoft
2008-02-18 13:51 --------- d-----w C:\Program Files\R-RAM
2008-02-16 20:51 --------- d-----w C:\Program Files\Google
2008-02-12 17:05 --------- d-----w C:\Program Files\Windows Media Components
2008-02-12 16:22 55,949 ----a-w C:\WINDOWS\system32\x264-uninstall.exe
2008-02-12 16:20 --------- d-----w C:\Program Files\MediaCoder
2008-02-12 15:58 --------- d-----w C:\Program Files\AVIcodec
2008-02-12 14:35 --------- d-----w C:\Program Files\WMV9_VCM
2008-02-12 13:17 --------- d-----w C:\Program Files\NewzToolz
2008-01-31 23:21 --------- d-----w C:\Documents and Settings\WWF\Application Data\StickIt
2008-01-30 17:04 4,444 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 05:08 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-01-16 05:08 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-12-30 16:08 8 --sha-r C:\WINDOWS\system32\35B06C7836.sys
2006-10-10 12:59 88 --sha-r C:\WINDOWS\system32\DD697E2326.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-13_16.22.52.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-13 20:11:51 63,016 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-14 12:11:13 63,418 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 20:11:51 402,406 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-14 12:11:13 402,974 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9403AFB1-F4AC-4A46-8A74-E757AF9C50E7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 05:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"DIManager"="C:\Documents and Settings\WWF\Desktop\DIManager6.exe" [2006-09-05 14:19 1588736]
"StickIt"="C:\Program Files\StickIt\StickIt3.exe" [2007-08-02 00:02 319488]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2008-01-22 23:18 1028096]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 11:51 57344]
"MBMon"="CTMBHA.DLL" [2006-03-03 04:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 10:13 1126400]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51 49152]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-10-27 16:48 507904]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320]
"Protector Plus Taskbar Control"="C:\PROTEC~1\PPTbc.EXE" [2007-04-23 10:34 1160104]
"Protector Plus InstaUpdate"="C:\PROTEC~1\PPInupdt.exe" [2007-04-23 10:34 1151912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192]
"PDUiP6700DMon"="C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-03-16 14:47 61440]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 01:50 1603152]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-02-22 13:00 49152 c:\dell\E-Center\gtb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-03-03 10:33 51184 C:\Documents and Settings\WWF\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTAReg]
--------- 2005-10-21 17:39 512094 C:\Program Files\Creative\Sound Blaster Audigy ADVANCED MB\Product Registration\English\HTAReg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReleaseRAM]
C:\Program Files\R-RAM\RRAM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"C:\\Program Files\\StickIt\\StickIt3.exe"=

R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;"C:\Protector Plus\PPAVMon.exe" [2007-04-23 10:34]
R2 ProtectorPlusService;Protector Plus Service;"C:\Protector Plus\PPServ.exe" [2007-04-23 10:34]
R3 hcwAVD2;Hauppauge PVR USB2 AVS Video Capture;C:\WINDOWS\system32\drivers\HCWUSB2AV.sys [2007-02-27 16:40]
R3 PPDrv;Protector Plus Driver;C:\Protector Plus\PPDrv.sys [2007-04-23 10:34]
R3 PPEMSCAN;Protector Plus Email Scan Driver;C:\Protector Plus\PPEMSCAN.sys [2007-04-23 10:34]
S1 guntest;guntest;C:\WINDOWS\Help\guntest.chm []
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 16:30]
S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9cae688-b498-11dc-8087-0015c51ec285}]
\Shell\AutoRun\command - "K:\Install FreeAgent Tools.exe" /run

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 08:33:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\guntest]
"ImagePath"="\??\C:\WINDOWS\Help\guntest.chm"
.
Completion time: 2008-03-14 8:33:32
ComboFix-quarantined-files.txt 2008-03-14 12:33:31
ComboFix2.txt 2008-03-14 02:46:58
ComboFix3.txt 2008-03-13 20:41:23
ComboFix4.txt 2008-03-13 20:23:17


---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:35 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROTEC~1\PPTbc.EXE
C:\PROTEC~1\PPInupdt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\WWF\Desktop\DIManager6.exe
C:\Program Files\StickIt\StickIt3.exe
C:\Program Files\Weather Watcher\ww.exe
C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Protector Plus\POPSCAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto
O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9599 bytes

#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 14 March 2008 - 10:36 AM

Wayne,

You still have the TeaTimer enabled and it will prevent fixes from taking place.


Disable the TeaTimer, you can re enable it when were done if you wish
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer. <-- Important

Then remove this with HJT.
O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - (no file)




Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 skipower

skipower
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 14 March 2008 - 12:33 PM

Hi Ken,

Sorry about the Tea Timer, no restart when turned off and just moving too fast...dumb and a waste of your time.

Here's the latest after your directions............

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 14, 2008 1:13:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/03/2008
Kaspersky Anti-Virus database records: 568840
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 68861
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:46:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_552321506_10092544_40461 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{23EED123-B15A-4460-88EA-E1157E438A8A}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\cert8.db Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\history.dat Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\key3.db Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\parent.lock Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\search.sqlite Object is locked skipped
C:\Documents and Settings\WWF\Application Data\Mozilla\Firefox\Profiles\mku8w7jk.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\WWF\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\Application Data\windowsupdate.exe Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\WWF\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\History\History.IE5\MSHist012008031420080315\index.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\temp\Perflib_Perfdata_ca0.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\temp\Perflib_Perfdata_e34.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\temp\Perflib_Perfdata_e6c.dat Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\temp\~DF5C3D.tmp Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\temp\~DFA1A7.tmp Object is locked skipped
C:\Documents and Settings\WWF\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\WWF\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\WWF\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{127A9711-35AA-419F-B6BD-5517D84D8BCA}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.




--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:48 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROTEC~1\PPTbc.EXE
C:\PROTEC~1\PPInupdt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\WWF\Desktop\DIManager6.exe
C:\Program Files\StickIt\StickIt3.exe
C:\Program Files\Weather Watcher\ww.exe
C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Protector Plus\POPSCAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto
O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9015 bytes

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 14 March 2008 - 01:08 PM

Hello Wayne,

Kaspersky found a few things, the one in Qoobox is just the backup from running Combofix, the other may be related to the SDBot Worm so lets run this program .

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 skipower

skipower
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 14 March 2008 - 02:30 PM

Ken,

Here's the next installment, as directed......

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


SDFix: Version 1.157

Run by WWF on Fri 03/14/2008 at 03:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
guntest

Path:
\??\C:\WINDOWS\Help\guntest.chm

guntest - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 15:17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Media Center\MRU\PicturesMRU]
"MRU #0 Path"="DC:\Documents and Settings\WWF\My Documents\My Pictures\Cool Chick lake boat_files"
"SortString"="0"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"="C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe:*:Enabled:GoogleUpdaterService.exe"
"C:\\Program Files\\StickIt\\StickIt3.exe"="C:\\Program Files\\StickIt\\StickIt3.exe:*:Disabled:StickIt3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 14 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 30 Dec 2006 8 A.SHR --- "C:\WINDOWS\system32\35B06C7836.sys"
Wed 30 Jan 2008 56 A.SHR --- "C:\WINDOWS\system32\36786CB035.sys"
Tue 10 Oct 2006 88 A.SHR --- "C:\WINDOWS\system32\DD697E2326.sys"
Wed 30 Jan 2008 4,444 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 26 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 25 Sep 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 12 Mar 2008 73,254 ..SH. --- "C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe"
Wed 12 Mar 2008 41,880 ..SH. --- "C:\Documents and Settings\WWF\Local Settings\Application Data\windowsupdate.exe"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\Memory Card Utility\iP6700D\Maint.exe"
Fri 10 Feb 2006 61,440 A..H. --- "C:\Program Files\Canon\Memory Card Utility\iP6700D\uinstrsc.dll"
Fri 14 Mar 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp"
Tue 20 Jun 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 20 Jun 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Tue 20 Jun 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:46 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROTEC~1\PPTbc.EXE
C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001
C:\PROTEC~1\PPInupdt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\WWF\Desktop\DIManager6.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Protector Plus\POPSCAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9021 bytes

#10 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 14 March 2008 - 03:20 PM

Wayne,

Your log looks fine but I am a little concerned about these entries that Kaspersky found, lets do this.

You need to enable windows to show all files and folders, instructions Here

I am sure these are bad but lets make sure before we remove them.

Go to VirusTotal and submit these files for analysis, just use the browse feature and then Snd File , you will get a report back, post the report into this thread for me to see.

C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe
C:\Documents and Settings\WWF\Local Settings\Application Data\windowsupdate.exe

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#11 skipower

skipower
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 14 March 2008 - 03:58 PM

Ken,

Good call....and very interesting site!.....here's the results....I tried for a better reader-friendly format but didn't find an easy solution.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


C:\Documents and Settings\WWF\Local Settings\Application Data\windowsupdate.exe


File windowsupdate.exe received on 03.14.2008 21:31:08 (CET)

Result: 14/31 (45.17%)


You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.15.0 2008.03.14 -
AntiVir 7.6.0.73 2008.03.14 TR/Dldr.Small.svi.1
Authentium 4.93.8 2008.03.14 -
Avast 4.7.1098.0 2008.03.13 -
AVG 7.5.0.516 2008.03.14 Downloader.Generic7.RD
BitDefender 7.2 2008.03.14 Trojan.Agent.AHFY
CAT-QuickHeal 9.50 2008.03.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.14 -
DrWeb 4.44.0.09170 2008.03.14 Trojan.DownLoader.origin
eSafe 7.0.15.0 2008.03.09 suspicious Trojan/Worm
eTrust-Vet 31.3.5614 2008.03.14 -
Ewido 4.0 2008.03.14 -
F-Secure 6.70.13260.0 2008.03.14 Trojan-Downloader.Win32.Small.svi
FileAdvisor 1 2008.03.14 -
Fortinet 3.14.0.0 2008.03.14 -
Ikarus T3.1.1.20 2008.03.14 -
Kaspersky 7.0.0.125 2008.03.14 Trojan-Downloader.Win32.Small.svi
McAfee 5252 2008.03.14 -
Microsoft 1.3301 2008.03.14 Backdoor:Win32/Koceg.gen!A
NOD32v2 2948 2008.03.14 Win32/TrojanDownloader.Small.OAQ
Norman 5.80.02 2008.03.14 -
Panda 9.0.0.4 2008.03.14 Suspicious file
Prevx1 V2 2008.03.14 Heuristic: Suspicious Self Modifying File
Rising 20.35.42.00 2008.03.14 -
Sophos 4.27.0 2008.03.14 Sus/UnkPacker
Sunbelt 3.0.963.0 2008.03.14 -
Symantec 10 2008.03.14 -
TheHacker 6.2.92.245 2008.03.14 -
VBA32 3.12.6.2 2008.03.13 -
VirusBuster 4.3.26:9 2008.03.14 -
Webwasher-Gateway 6.6.2 2008.03.14 Trojan.Dldr.Small.svi.1
Additional information
File size: 41880 bytes
MD5: dd87b8d63e610f750805f0290e0f1ea0
SHA1: d45d298e7481c1676a75b81c858bf9548841b25b
PEiD: Armadillo v1.71
Prevx info: http://info.prevx.com/aboutprogramtext.asp...19DED00E864AD83

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\Documents and Settings\LocalService\Local Settings\Application Data


File windowsupdate.exe received on 03.14.2008 21:48:21 (CET)

Result: 15/32 (46.88%)


Antivirus Version Last Update Result
AhnLab-V3 2008.3.15.0 2008.03.14 -
AntiVir 7.6.0.73 2008.03.14 TR/Drop.Agent.snv
Authentium 4.93.8 2008.03.14 -
Avast 4.7.1098.0 2008.03.13 -
AVG 7.5.0.516 2008.03.14 Downloader.Generic7.RD
BitDefender 7.2 2008.03.14 Trojan.Agent.AHFY
CAT-QuickHeal 9.50 2008.03.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.14 -
DrWeb 4.44.0.09170 2008.03.14 Trojan.DownLoader.origin
eSafe 7.0.15.0 2008.03.09 suspicious Trojan/Worm
eTrust-Vet 31.3.5614 2008.03.14 -
Ewido 4.0 2008.03.14 -
F-Prot 4.4.2.54 2008.03.14 -
F-Secure 6.70.13260.0 2008.03.14 Trojan-Downloader.Win32.Small.svi
FileAdvisor 1 2008.03.14 -
Fortinet 3.14.0.0 2008.03.14 -
Ikarus T3.1.1.20 2008.03.14 Trojan-Downloader.Small.AAKR
Kaspersky 7.0.0.125 2008.03.14 Trojan-Downloader.Win32.Small.svi
McAfee 5252 2008.03.14 -
Microsoft 1.3301 2008.03.14 Backdoor:Win32/Koceg.gen!A
NOD32v2 2948 2008.03.14 Win32/TrojanDownloader.Small.OAQ
Norman 5.80.02 2008.03.14 -
Panda 9.0.0.4 2008.03.14 Suspicious file
Prevx1 V2 2008.03.14 Heuristic: Suspicious Self Modifying File
Rising 20.35.42.00 2008.03.14 -
Sophos 4.27.0 2008.03.14 Sus/UnkPacker
Sunbelt 3.0.963.0 2008.03.14 -
Symantec 10 2008.03.14 -
TheHacker 6.2.92.245 2008.03.14 -
VBA32 3.12.6.2 2008.03.13 -
VirusBuster 4.3.26:9 2008.03.14 -
Webwasher-Gateway 6.6.2 2008.03.14 Trojan.Drop.Agent.snu

#12 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 14 March 2008 - 04:18 PM

Lets do this.

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe
    C:\Documents and Settings\WWF\Local Settings\Application Data\windowsupdate.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.










Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
**Note** Go to Options> Cookies and any you want to keep move them to The Keep window






  • Your Java is out of date and leaving your system vulnerable.
  • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
  • It should have an icon next to it:
    Posted Image
    Select it and click Remove.
  • Reboot your system.
  • Then go to the Sun Microsystems and install the update
  • Java Runtime Environment (JRE) 6 Update 5 <--This is what you need to download and install.
  • If you chose the online installation, it will prompt you to run the program.
  • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
  • Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future



Post the OTMoveIt log and hopefully one last HJT log and lets make sure nothing has come back, also let me know how your system is running now??

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#13 skipower

skipower
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 14 March 2008 - 05:07 PM

Ken,

Here are the latest logs....

The computer got back to it's agility this morning after your big cleanup and defrag last night. I have been monitoring with "What'sRunning" and haven't seen much activity that looks suspicious. You've sure shown me some very usable sites!

Question about using OTmoveIT....are you using this program to move files instead of deleting them in case they are necessary files?

Thank you very much.

Wayne
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe moved successfully.
C:\Documents and Settings\WWF\Local Settings\Application Data\windowsupdate.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03142008_172719

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:31 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Protector Plus\PPAVMon.exe
C:\Protector Plus\PPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROTEC~1\PPTbc.EXE
C:\PROTEC~1\PPInupdt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\WWF\Desktop\DIManager6.exe
C:\Program Files\Weather Watcher\ww.exe
C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Protector Plus\POPSCAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\StickIt\StickIt3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9199 bytes

#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 14 March 2008 - 05:14 PM

Wayne,

Your log looks fine :thumbsup: Glad things are running better for you. What OTMoveIt does is moves those files to a backup folder in case there is an issue they can be restored but those files where virus related.



Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.5
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0.0.12 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help

Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:57 PM

Posted 28 March 2008 - 05:49 PM

Since this issue appears to be resolved this thread will now be closed. Thank you for using Bleeping Computer.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users