Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Has Been Highjacked!


  • This topic is locked This topic is locked
36 replies to this topic

#1 rvbeaumont

rvbeaumont

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 22 March 2008 - 01:59 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:05 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lcss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.manhunt.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [0c9120a5] rundll32.exe "C:\WINDOWS\system32\puqlykjk.dll",b
O4 - HKLM\..\Run: [BM0fa21339] Rundll32.exe "C:\WINDOWS\system32\fvulnmxg.dll",s
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/C..._hooking_xp.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: l65r3r5c0 - Unknown owner - C:\WINDOWS\system32\lcss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 13105 bytes

BC AdBot (Login to Remove)

 


#2 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 22 March 2008 - 03:26 PM

ComboFix 08-03-22.1 - HP_Owner 2008-03-22 16:10:47.21 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.394 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
C:\WINDOWS\system32\ahjllxju.exe
C:\WINDOWS\system32\amlmghtc.exe
C:\WINDOWS\system32\astbfaoq.exe
C:\WINDOWS\system32\bivsylaf.dll
C:\WINDOWS\system32\datqxpxm.exe
C:\WINDOWS\system32\dcmwijdi.ini
C:\WINDOWS\system32\ddxfxlrq.dll
C:\WINDOWS\system32\dvodghbp.dll
C:\WINDOWS\system32\ennqbiwg.exe
C:\WINDOWS\system32\fhuuiwdv.dll
C:\WINDOWS\system32\fvlxugyf.exe
C:\WINDOWS\system32\gawvyhes.dll
C:\WINDOWS\system32\gdroshxt.ini
C:\WINDOWS\system32\gebxutu.dll
C:\WINDOWS\system32\gghwmbjx.dll
C:\WINDOWS\system32\gjkqifcb.exe
C:\WINDOWS\system32\gnbomdsc.exe
C:\WINDOWS\system32\gocqxgou.dll
C:\WINDOWS\system32\haecltty.dll
C:\WINDOWS\system32\hdisunts.dll
C:\WINDOWS\system32\hggwfuxq.dll
C:\WINDOWS\system32\hgnccvss.exe
C:\WINDOWS\system32\hgprgigm.ini
C:\WINDOWS\system32\hoebwqke.exe
C:\WINDOWS\system32\iipiulaw.exe
C:\WINDOWS\system32\iiqjpsfo.dll
C:\WINDOWS\system32\ikersexg.exe
C:\WINDOWS\system32\jqgrnofu.ini
C:\WINDOWS\system32\jusuqald.exe
C:\WINDOWS\system32\jwycvwpy.dll
C:\WINDOWS\system32\jyahqbll.ini
C:\WINDOWS\system32\kysndupv.ini
C:\WINDOWS\system32\lekemoub.ini
C:\WINDOWS\system32\lofpawas.dll
C:\WINDOWS\system32\lqhqyjwt.dll
C:\WINDOWS\system32\lqhtxddv.ini
C:\WINDOWS\system32\lyrgompo.dll
C:\WINDOWS\system32\mcxotbcu.exe
C:\WINDOWS\system32\mgigrpgh.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\myvborev.dll
C:\WINDOWS\system32\ndkttktx.exe
C:\WINDOWS\system32\nihodhut.ini
C:\WINDOWS\system32\niyldnmh.exe
C:\WINDOWS\system32\nnnkkjh.dll
C:\WINDOWS\system32\nnnnkkk.dll
C:\WINDOWS\system32\ofspjqii.ini
C:\WINDOWS\system32\okgnmwqk.dll
C:\WINDOWS\system32\pesuexct.dll
C:\WINDOWS\system32\pkjrdxeq.exe
C:\WINDOWS\system32\pnevawfw.ini
C:\WINDOWS\system32\prowfvt.dll
C:\WINDOWS\system32\pzvyotou.dll
C:\WINDOWS\system32\pzvyotou.dllbox
C:\WINDOWS\system32\qccvxgpq.exe
C:\WINDOWS\system32\qmckutyp.dll
C:\WINDOWS\system32\raopqtos.ini
C:\WINDOWS\system32\redpfdtq.dll
C:\WINDOWS\system32\rnghanvc.dll
C:\WINDOWS\system32\rpddfylh.ini
C:\WINDOWS\system32\rppbtokh.dll
C:\WINDOWS\system32\rssruhne.dll
C:\WINDOWS\system32\sehyvwag.ini
C:\WINDOWS\system32\squneltu.dll
C:\WINDOWS\system32\stnusidh.ini
C:\WINDOWS\system32\tktcfhak.dll
C:\WINDOWS\system32\tuhdohin.dll
C:\WINDOWS\system32\twjyqhql.ini
C:\WINDOWS\system32\txhsordg.dll
C:\WINDOWS\system32\ucvacjes.dll
C:\WINDOWS\system32\uogxqcog.ini
C:\WINDOWS\system32\vpudnsyk.dll
C:\WINDOWS\system32\xjbmwhgg.ini
C:\WINDOWS\system32\xkiuhcwh.dll
C:\WINDOWS\system32\xlhqqrlv.dll
C:\WINDOWS\system32\xodqlyvu.dll
C:\WINDOWS\system32\ynsnofiw.dll
C:\WINDOWS\system32\yskbmyoy.exe
C:\WINDOWS\system32\ytwrvmwl.exe
C:\WINDOWS\system32\ytxcdfwy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
C:\WINDOWS\BM0fa21339.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bvofckyk.ini
C:\WINDOWS\system32\dindkeki.dll
C:\WINDOWS\system32\f9t.dat
C:\WINDOWS\system32\fvulnmxg.dll
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\kykcfovb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmnnlji.dll
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\xybeg.ini
C:\WINDOWS\system32\xybeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 16:01 . 2008-03-22 16:20 16,373 --a------ C:\WINDOWS\system32\drivers\hosts
2008-03-22 15:35 . 2008-03-22 15:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-22 13:21 . 2008-03-22 13:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 13:21 . 2008-03-22 13:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:28 . 2008-03-22 02:46 <DIR> d----c--- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-03-22 02:09 . 2008-03-22 13:15 1,543,399 --ahs---- C:\WINDOWS\system32\kjkylqup.ini
2008-03-22 01:57 . 2008-03-22 16:20 6,656 --a--c--- C:\hlpr.exe
2008-03-22 01:51 . 2008-03-22 02:04 1,543,219 --ahs---- C:\WINDOWS\system32\fgihqcpb.ini
2008-03-22 01:34 . 2008-03-22 01:34 <DIR> d-------- C:\WINDOWS\system32\aqVreo18
2008-03-22 01:34 . 2008-03-22 01:34 <DIR> d-------- C:\temp\gbRve12
2008-03-22 01:34 . 2008-03-22 01:34 30,720 -rahs---- C:\WINDOWS\system32\lcss.exe
2008-03-21 18:01 . 2008-03-22 01:34 5,632 --a--c--- C:\dllhost.exe
2008-03-21 16:32 . 2008-03-21 16:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-21 16:32 . 2008-03-21 16:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-20 02:11 . 2008-03-20 02:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-03-15 08:58 . 2008-03-15 08:58 32,768 --a------ C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe
2008-03-13 18:50 . 2008-03-13 18:50 <DIR> d-------- C:\Program Files\Sierra
2008-03-12 18:47 . 2008-03-12 18:47 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-29 15:22 . 2008-02-29 15:22 <DIR> d-------- C:\Program Files\Netflix
2008-02-29 01:52 . 2008-02-29 01:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 17:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 17:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 06:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-19 21:16 --------- d-----w C:\Program Files\XoftSpySE
2008-03-18 20:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-18 06:36 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2008-03-14 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 05:23 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-13 23:21 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2008-03-09 23:25 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-02-29 02:42 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 01:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2008-02-27 08:51 --------- d-----w C:\Program Files\Google
2008-02-27 08:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\StumbleUpon
2008-02-19 22:35 --------- d-----w C:\Program Files\Coupons
2008-02-18 23:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-08 03:12 --------- d-----w C:\Program Files\LimeWire
2008-02-06 23:27 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Printer Info Cache
2008-02-06 23:27 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Image Zone Express
2008-02-02 18:04 --------- d-----w C:\Program Files\StumbleUpon
2008-01-25 22:12 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-25 22:11 --------- d-----w C:\Program Files\Common Files\Real
2008-01-23 06:49 --------- d-----w C:\Program Files\YouTube Downloader
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2006-11-12 18:42 0 ----a-w C:\Program Files\Common Files\err.log
2006-09-19 18:10 1 -c--a-w C:\Documents and Settings\HP_Owner\SI.bin
2006-05-10 18:26 299 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\internaldb1942.dat
2006-01-26 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE2A0BC-B8DA-4E22-B28D-EBFF3558CBA4}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 12:02 208946]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 23:05 160592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-03 00:06 98304]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 04:13 118862]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 02:54 49152 C:\WINDOWS\system32\SiSPower.dll]
"CTHelper"="CTHELPER.EXE" [2003-11-14 04:18 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 11:00 45056]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 16:09 310000]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 14:04 99480]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 14:55 226224]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"MegaPanel"="C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 15:30 2064384]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-25 18:08 185896]
"XoftSpySE"="C:\Program Files\XoftSpySE\xoftspy.exe" [2007-10-24 14:59 728576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 05:13 49152 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 23:44:01 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlji]
pmnnlji.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 12:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-11-16 14:55 226224 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-11-16 14:55 86960 c:\progra~1\common~1\instal~1\update~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=

R2 l65r3r5c0;l65r3r5c0;"C:\WINDOWS\system32\lcss.exe" [2008-03-22 01:34]
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2006-11-08 10:59]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 00:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 20:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-03-22 12:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2008-03-22 17:55:28 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-03-22 20:22:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-03-22 20:20:24 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-22 20:21:21 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 16:20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\hosts 16560 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-03-22 16:24:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 20:24:55
ComboFix2.txt 2008-01-06 18:45:43
ComboFix3.txt 2007-12-03 06:30:19
ComboFix4.txt 2007-12-03 01:46:37
ComboFix5.txt 2007-11-30 23:02:29
.
2008-03-12 22:47:48 --- E O F ---

#3 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 22 March 2008 - 04:01 PM

SDFix: Version 1.159

Run by HP_Owner on Sat 03/22/2008 at 04:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\HP_Owner\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\hosts - Deleted
C:\WINDOWS\system32\drivers\hosts - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 16:47:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 10


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\DOCUME~1\HP_Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 19 Oct 2007 213 A.SHR --- "C:\BOOT.BAK"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0b\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0b\rbm.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0c\aoltray.exe"
Mon 30 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0i\aolphx.exe"
Mon 30 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0i\aoltray.exe"
Mon 30 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0i\RBM.exe"
Tue 24 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Tue 24 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 15 Nov 2005 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 22 Mar 2008 30,720 A.SHR --- "C:\WINDOWS\system32\lcss.exe"
Sun 21 Oct 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 May 2007 170,299 A.SH. --- "C:\Program Files\Common Files\Motive\MCCDNSHLP_1-0-0_DSR.dll"
Mon 18 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BIT3F.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT28.tmp"
Fri 19 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT45.tmp"
Tue 8 Jan 2008 8,776 ...HR --- "C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 28 Sep 2007 85,309 A..H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"

Finished!

#4 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 25 March 2008 - 10:57 AM

ComboFix 08-03-22.1 - HP_Owner 2008-03-25 8:31:20.22 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.114 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 04:24 . 2008-03-25 08:04 39,463 --a--c--- C:\gbo.exe
2008-03-25 01:34 . 2008-03-25 01:34 39,463 --------- C:\WINDOWS\system32\svshost.exe
2008-03-23 19:26 . 2008-03-24 18:19 320 --a--c--- C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-03-23 12:10 . 2008-03-23 12:10 6,695 --a------ C:\WINDOWS\system\delnew.exe
2008-03-23 12:10 . 2008-03-23 12:10 6,608 --a--c--- C:\delextra.exe
2008-03-23 12:10 . 2008-03-23 12:10 5,632 --a------ C:\WINDOWS\system\run.exe
2008-03-23 12:10 . 2008-03-25 08:09 0 --a------ C:\WINDOWS\system\nadlocop.exe
2008-03-23 12:10 . 2008-03-25 08:23 0 --a------ C:\WINDOWS\system\helper.exe
2008-03-23 12:09 . 2008-03-25 08:22 5,632 --a--c--- C:\mstn.exe
2008-03-22 15:35 . 2008-03-22 15:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-22 13:21 . 2008-03-22 13:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:28 . 2008-03-22 02:46 <DIR> d----c--- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-03-22 02:09 . 2008-03-22 13:15 1,543,399 --ahs---- C:\WINDOWS\system32\kjkylqup.ini
2008-03-22 01:57 . 2008-03-23 01:48 6,656 --a--c--- C:\hlpr.exe
2008-03-22 01:51 . 2008-03-22 02:04 1,543,219 --ahs---- C:\WINDOWS\system32\fgihqcpb.ini
2008-03-22 01:34 . 2008-03-22 01:34 <DIR> d-------- C:\WINDOWS\system32\aqVreo18
2008-03-22 01:34 . 2008-03-22 01:34 <DIR> d-------- C:\temp\gbRve12
2008-03-22 01:34 . 2008-03-22 01:34 30,720 -rahs---- C:\WINDOWS\system32\lcss.exe
2008-03-21 18:01 . 2008-03-22 01:34 5,632 --a--c--- C:\dllhost.exe
2008-03-20 02:11 . 2008-03-20 02:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-03-15 08:58 . 2008-03-15 08:58 32,768 --a------ C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe
2008-03-13 18:50 . 2008-03-13 18:50 <DIR> d-------- C:\Program Files\Sierra
2008-03-12 18:47 . 2008-03-12 18:47 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-29 15:22 . 2008-02-29 15:22 <DIR> d-------- C:\Program Files\Netflix
2008-02-29 01:52 . 2008-02-29 01:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 11:00 --------- d-----w C:\Program Files\LimeWire
2008-03-23 07:32 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-22 21:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 17:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 06:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-19 21:16 --------- d-----w C:\Program Files\XoftSpySE
2008-03-18 20:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-18 06:36 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2008-03-14 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 05:23 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-13 23:21 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2008-03-09 23:25 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-02-29 02:42 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 01:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2008-02-27 08:51 --------- d-----w C:\Program Files\Google
2008-02-27 08:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\StumbleUpon
2008-02-19 22:35 --------- d-----w C:\Program Files\Coupons
2008-02-18 23:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-06 23:27 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Printer Info Cache
2008-02-06 23:27 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Image Zone Express
2008-02-02 18:04 --------- d-----w C:\Program Files\StumbleUpon
2008-01-26 06:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-25 22:12 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-25 22:11 --------- d-----w C:\Program Files\Common Files\Real
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2006-11-12 18:42 0 ----a-w C:\Program Files\Common Files\err.log
2006-09-19 18:10 1 -c--a-w C:\Documents and Settings\HP_Owner\SI.bin
2006-05-10 18:26 299 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\internaldb1942.dat
2006-01-26 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3306BE3C-9B61-485B-B71B-C8CDB57AB510}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34B93FE6-C4F0-47D3-8109-BDC311DB1918}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7434d8ce-7f10-4a99-bd5c-a17afbdeb399}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE2A0BC-B8DA-4E22-B28D-EBFF3558CBA4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C81CA391-6BF3-46A8-AA49-5DC6EBB90849}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 12:02 208946]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 23:05 160592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-03 00:06 98304]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 04:13 118862]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 02:54 49152 C:\WINDOWS\system32\SiSPower.dll]
"CTHelper"="CTHELPER.EXE" [2003-11-14 04:18 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 11:00 45056]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 16:09 310000]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 14:04 99480]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 14:55 226224]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"MegaPanel"="C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 15:30 2064384]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-25 18:08 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 05:13 49152 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 23:44:01 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlji]
pmnnlji.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 12:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-11-16 14:55 226224 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-11-16 14:55 86960 c:\progra~1\common~1\instal~1\update~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=

R2 aa0n58e3y7t3;aa0n58e3y7t3;"C:\WINDOWS\system32\svshost.exe" [2008-03-25 01:34]
R2 g35b7z8f6;g35b7z8f6;"C:\WINDOWS\system32\svshost.exe" [2008-03-25 01:34]
R2 l65r3r5c0;l65r3r5c0;"C:\WINDOWS\system32\lcss.exe" [2008-03-22 01:34]
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2006-11-08 10:59]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 00:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 20:48:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-03-23 12:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2008-03-22 17:55:28 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-03-25 12:37:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-03-25 12:29:18 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-25 12:30:06 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 08:38:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-03-25 8:40:40
ComboFix-quarantined-files.txt 2008-03-25 12:40:22
ComboFix2.txt 2008-03-22 20:25:00
ComboFix3.txt 2008-01-06 18:45:43
ComboFix4.txt 2007-12-03 06:30:19
ComboFix5.txt 2007-12-03 01:46:37
.
2008-03-12 22:47:48 --- E O F ---

#5 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 27 March 2008 - 12:37 PM

Infected with Troj/Digarix-B need help big time!! :thumbsup:

#6 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 27 March 2008 - 02:29 PM

SDFix: Version 1.159

Run by HP_Owner on Thu 03/27/2008 at 02:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\HP_Owner\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\TEMP\eraseme_02636.exe - Deleted
C:\WINDOWS\TEMP\eraseme_14384.exe - Deleted
C:\WINDOWS\TEMP\eraseme_38348.exe - Deleted
C:\WINDOWS\TEMP\eraseme_61536.exe - Deleted
C:\WINDOWS\TEMP\eraseme_67478.exe - Deleted
C:\WINDOWS\system\delnew.exe - Deleted
C:\WINDOWS\system\helper.exe - Deleted
C:\WINDOWS\system\nadlocop.exe - Deleted
C:\WINDOWS\system\run.exe - Deleted
C:\WINDOWS\system32\svshost.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 15:14:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 10


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\DOCUME~1\HP_Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 19 Oct 2007 213 A.SHR --- "C:\BOOT.BAK"
Thu 27 Mar 2008 48,640 ..SHR --- "C:\WINDOWS\taskngr.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0b\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0b\rbm.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0c\aoltray.exe"
Mon 30 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0i\aolphx.exe"
Mon 30 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0i\aoltray.exe"
Mon 30 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0i\RBM.exe"
Tue 24 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Tue 24 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 15 Nov 2005 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 22 Mar 2008 30,720 A.SHR --- "C:\WINDOWS\system32\lcss.exe"
Sun 21 Oct 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 May 2007 170,299 A.SH. --- "C:\Program Files\Common Files\Motive\MCCDNSHLP_1-0-0_DSR.dll"
Mon 18 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BIT3F.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT28.tmp"
Fri 19 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT45.tmp"
Tue 8 Jan 2008 8,776 ...HR --- "C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 28 Sep 2007 85,309 A..H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"

Finished!

#7 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 03 April 2008 - 01:15 PM

still hijacked, help

#8 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 03 April 2008 - 10:40 PM

SDFix: Version 1.159

Run by HP_Owner on Thu 04/03/2008 at 11:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\HP_Owner\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DELEXTRA.EXE - Deleted
C:\WINDOWS\system\delnew.exe - Deleted
C:\WINDOWS\system\helper.exe - Deleted
C:\WINDOWS\system\nadlocop.exe - Deleted
C:\WINDOWS\system\run.exe - Deleted
C:\WINDOWS\system32\svshost.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 23:19:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 10


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\DOCUME~1\HP_Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 19 Oct 2007 213 A.SHR --- "C:\BOOT.BAK"
Thu 27 Mar 2008 48,640 ..SHR --- "C:\WINDOWS\taskngr.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0b\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0b\rbm.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0c\aoltray.exe"
Mon 30 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0i\aolphx.exe"
Mon 30 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0i\aoltray.exe"
Mon 30 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0i\RBM.exe"
Tue 24 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Tue 24 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 15 Nov 2005 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 22 Mar 2008 30,720 A.SHR --- "C:\WINDOWS\system32\lcss.exe"
Sun 21 Oct 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 May 2007 170,299 A.SH. --- "C:\Program Files\Common Files\Motive\MCCDNSHLP_1-0-0_DSR.dll"
Mon 18 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BIT3F.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT28.tmp"
Fri 19 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT45.tmp"
Tue 8 Jan 2008 8,776 ...HR --- "C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 28 Sep 2007 85,309 A..H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"

Finished!

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:52 PM

Posted 07 April 2008 - 06:03 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 08 April 2008 - 02:50 PM

Thanks Sam, it still is acting up here's the latest hijack, which I had to do a restore to use the program, because I was getting no responses on aol, firfox, and explorer
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:37 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lcss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.manhunt.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3306BE3C-9B61-485B-B71B-C8CDB57AB510} - (no file)
O2 - BHO: (no name) - {34B93FE6-C4F0-47D3-8109-BDC311DB1918} - (no file)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7434d8ce-7f10-4a99-bd5c-a17afbdeb399} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ABE2A0BC-B8DA-4E22-B28D-EBFF3558CBA4} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {C81CA391-6BF3-46A8-AA49-5DC6EBB90849} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - Winlogon Notify: pmnnlji - pmnnlji.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: l65r3r5c0 - Unknown owner - C:\WINDOWS\system32\lcss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 13869 bytes

#11 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 08 April 2008 - 10:13 PM

newest hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:36 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\taskngr.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lcss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\usnscv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 9.0i\waol.exe
C:\Program Files\America Online 9.0i\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.manhunt.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3306BE3C-9B61-485B-B71B-C8CDB57AB510} - (no file)
O2 - BHO: (no name) - {34B93FE6-C4F0-47D3-8109-BDC311DB1918} - (no file)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7434d8ce-7f10-4a99-bd5c-a17afbdeb399} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ABE2A0BC-B8DA-4E22-B28D-EBFF3558CBA4} - (no file)
O2 - BHO: (no name) - {C81CA391-6BF3-46A8-AA49-5DC6EBB90849} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0EBA04-3B3A-48DD-B382-C96E75AB5632}: NameServer = 205.188.146.145
O20 - Winlogon Notify: pmnnlji - pmnnlji.dll (file missing)
O23 - Service: aa0n58e3y7t3 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ASP.NET SSL Service - Unknown owner - C:\WINDOWS\taskngr.exe
O23 - Service: ckyqynqzzmscfpjt3l07jt - Unknown owner - C:\WINDOWS\system32\usnscv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: is6y22l7i4j2 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: l65r3r5c0 - Unknown owner - C:\WINDOWS\system32\lcss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 14413 bytes

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:52 PM

Posted 09 April 2008 - 06:59 AM

Please delete the current version of Combofix that you have on your computer now.



Please download the latest version of ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 09 April 2008 - 02:18 PM

have to keep restoring to keep the web
ComboFix 08-04-09.1 - HP_Owner 2008-04-09 15:03:44.22 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.444 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\AFGWG1GR\ComboFix[1].exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\gbRve12
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 14:56 . 2008-04-09 14:56 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-04-09 14:56 . 2008-04-09 14:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 14:55 . 2008-04-09 14:55 <DIR> d-------- C:\Program Files\StumbleUpon
2008-04-09 14:54 . 2008-04-09 14:54 <DIR> d-------- C:\Program Files\Sierra
2008-04-09 14:54 . 2008-04-09 14:54 <DIR> d-------- C:\Program Files\iTunes
2008-04-09 14:54 . 2008-04-09 14:54 <DIR> d-------- C:\Program Files\GRETECH
2008-04-09 14:54 . 2008-04-09 14:54 <DIR> d-------- C:\Program Files\AquariaDemo
2008-04-09 14:52 . 2008-04-09 14:52 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2008-04-09 14:52 . 2008-04-09 14:52 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-04-09 01:24 . 2008-04-09 14:46 <DIR> d-------- C:\Program Files\Cinemaware Marquee
2008-04-08 15:32 . 2008-04-08 15:32 <DIR> d-------- C:\Program Files\ACNielsen
2008-04-07 15:39 . 2008-04-07 15:39 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-03 21:24 . 2008-04-08 23:00 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-03 21:19 . 2008-04-03 21:19 <DIR> d-------- C:\Program Files\The Adventure Company
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-23 19:26 . 2008-04-06 19:32 1,236 --a--c--- C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-03-22 15:35 . 2008-03-22 15:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-22 13:21 . 2008-03-22 13:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:28 . 2008-03-22 02:46 <DIR> d----c--- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-03-22 02:09 . 2008-03-22 13:15 1,543,399 --ahs---- C:\WINDOWS\system32\kjkylqup.ini
2008-03-22 01:57 . 2008-03-22 16:46 6,656 --a--c--- C:\hlpr.exe
2008-03-22 01:51 . 2008-03-22 02:04 1,543,219 --ahs---- C:\WINDOWS\system32\fgihqcpb.ini
2008-03-22 01:34 . 2008-03-22 01:34 30,720 -rahs---- C:\WINDOWS\system32\lcss.exe
2008-03-21 18:01 . 2008-03-22 01:34 5,632 --a--c--- C:\dllhost.exe
2008-03-20 02:11 . 2008-03-20 02:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-03-12 18:47 . 2008-03-12 18:47 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 18:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 18:50 --------- d-----w C:\Program Files\QuickTime
2008-04-09 18:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 04:58 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2008-04-09 02:57 --------- d-----w C:\Program Files\ArcSoft
2008-04-08 19:42 --------- d-----w C:\Program Files\XoftSpySE
2008-04-08 19:32 --------- d-----w C:\Program Files\Coupons
2008-04-03 23:15 138,679 ----a-w C:\Program Files\INSTALL.LOG
2008-03-23 11:00 --------- d-----w C:\Program Files\LimeWire
2008-03-23 07:32 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-22 17:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 06:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-18 20:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-18 06:36 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2008-03-14 05:23 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-09 23:25 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-02-29 19:22 --------- d-----w C:\Program Files\Netflix
2008-02-29 05:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
2008-02-29 02:42 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 01:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2008-02-27 08:51 --------- d-----w C:\Program Files\Google
2008-02-27 08:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\StumbleUpon
2008-02-18 23:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-26 06:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2006-11-12 18:42 0 ----a-w C:\Program Files\Common Files\err.log
2006-09-19 18:10 1 -c--a-w C:\Documents and Settings\HP_Owner\SI.bin
2006-05-10 18:26 299 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\internaldb1942.dat
2006-01-26 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_16.24.44.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-22 21:05:34 37,376 ----a-w C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustCall64.dll
+ 2008-03-22 21:05:34 22,441 ----a-w C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCall.dll
+ 2008-03-22 21:05:34 73,728 ----a-w C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla.dll
+ 2008-03-22 21:05:35 73,728 ----a-w C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla1.dll
+ 2002-07-25 21:13:18 24,576 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.dll
+ 2002-07-25 21:13:12 196,608 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.exe
+ 2004-08-09 09:02:38 327,680 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
- 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-04-04 03:06:34 7,409,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users(2)\00000001(2)\ntuser.dat
+ 2008-04-04 03:06:35 303,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users(2)\00000002(2)\UsrClass.dat
+ 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2006-11-22 15:37:10 199,765 ----a-w C:\WINDOWS\system32\AGEIA\app.bin
+ 2006-11-22 15:37:10 122,249 ----a-w C:\WINDOWS\system32\AGEIA\diag.bin
- 2008-03-09 19:02:03 5,093,324 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-04-09 18:57:22 16,892,476 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3306BE3C-9B61-485B-B71B-C8CDB57AB510}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34B93FE6-C4F0-47D3-8109-BDC311DB1918}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7434d8ce-7f10-4a99-bd5c-a17afbdeb399}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE2A0BC-B8DA-4E22-B28D-EBFF3558CBA4}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C81CA391-6BF3-46A8-AA49-5DC6EBB90849}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 12:02 208946]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 23:05 160592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-03 00:06 98304]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 04:13 118862]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 02:54 49152 C:\WINDOWS\system32\SiSPower.dll]
"CTHelper"="CTHELPER.EXE" [2003-11-14 04:18 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 11:00 45056]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 16:09 310000]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 14:04 99480]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 14:55 226224]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"MegaPanel"="C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 15:30 2064384]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-25 18:08 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 05:13 49152 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 23:44:01 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlji]
pmnnlji.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 12:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-11-16 14:55 226224 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-11-16 14:55 86960 c:\progra~1\common~1\instal~1\update~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=

R2 l65r3r5c0;l65r3r5c0;"C:\WINDOWS\system32\lcss.exe" [2008-03-22 01:34]
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2006-11-08 10:59]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 00:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 20:48:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-29 03:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-03-26 12:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2008-04-08 20:27:55 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-04-09 19:12:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-04-09 18:59:05 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-09 18:59:44 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 15:10:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-04-09 15:13:43
ComboFix-quarantined-files.txt 2008-04-09 19:13:22
ComboFix2.txt 2008-03-25 12:40:41
ComboFix3.txt 2008-03-22 20:25:00
ComboFix4.txt 2008-01-06 18:45:43
ComboFix5.txt 2007-12-03 06:30:19
Pre-Run: 9,261,928,448 bytes free
Post-Run: 9,248,874,496 bytes free
.
2008-03-12 22:47:48 --- E O F ---

#14 rvbeaumont

rvbeaumont
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:key west
  • Local time:09:52 PM

Posted 09 April 2008 - 02:47 PM

ComboFix 08-04-09.1 - HP_Owner 2008-04-09 15:36:03.23 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.422 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\My Documents\My Videos\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe
C:\WINDOWS\WPlayer.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 01:24 . 2008-04-09 14:46 <DIR> d-------- C:\Program Files\Cinemaware Marquee
2008-04-09 01:23 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-09 01:23 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-04-09 01:23 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-04-09 01:23 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-04-09 01:23 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-04-09 01:23 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-04-08 15:32 . 2008-04-08 15:32 <DIR> d-------- C:\Program Files\ACNielsen
2008-04-07 15:39 . 2008-04-07 15:39 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-05 17:58 . 2008-04-09 14:33 0 --a------ C:\WINDOWS\system\run.exe
2008-04-05 17:58 . 2008-04-09 14:33 0 --a------ C:\WINDOWS\system\nadlocop.exe
2008-04-05 17:58 . 2008-04-09 14:33 0 --a------ C:\WINDOWS\system\helper.exe
2008-04-05 17:58 . 2008-04-09 14:33 0 --a------ C:\WINDOWS\system\delnew.exe
2008-04-05 17:58 . 2008-04-09 14:33 0 --a--c--- C:\delextra.exe
2008-04-05 17:56 . 2008-04-06 19:29 89,236 --a--c--- C:\ghot.exe
2008-04-05 15:54 . 2008-04-08 23:07 84,116 -r-hs---- C:\WINDOWS\system32\usnscv.exe
2008-04-03 21:24 . 2008-04-09 15:26 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-03 21:23 . 2008-04-03 21:23 278,728 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-03 21:23 . 2008-04-03 21:23 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-03 21:19 . 2008-04-03 21:19 <DIR> d-------- C:\Program Files\The Adventure Company
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-28 14:59 . 2008-04-03 12:48 90,260 --a--c--- C:\gbnh.exe
2008-03-27 13:55 . 2008-04-06 19:30 0 --a------ C:\WINDOWS\system\temp2.exe
2008-03-27 13:45 . 2008-03-27 13:44 48,640 -r-hs---- C:\WINDOWS\taskngr.exe
2008-03-23 19:26 . 2008-04-06 19:32 1,236 --a--c--- C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-03-23 12:09 . 2008-04-06 19:29 5,064 --a--c--- C:\mstn.exe
2008-03-22 15:35 . 2008-03-22 15:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-22 13:21 . 2008-03-22 13:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:28 . 2008-03-22 02:46 <DIR> d----c--- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-03-22 02:09 . 2008-03-22 13:15 1,543,399 --ahs---- C:\WINDOWS\system32\kjkylqup.ini
2008-03-22 01:57 . 2008-03-23 01:48 6,656 --a--c--- C:\hlpr.exe
2008-03-22 01:51 . 2008-03-22 02:04 1,543,219 --ahs---- C:\WINDOWS\system32\fgihqcpb.ini
2008-03-22 01:34 . 2008-03-22 01:34 30,720 -rahs---- C:\WINDOWS\system32\lcss.exe
2008-03-21 18:01 . 2008-03-22 01:34 5,632 --a--c--- C:\dllhost.exe
2008-03-20 02:11 . 2008-03-20 02:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-03-12 18:47 . 2008-03-12 18:47 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 19:26 --------- d-----w C:\Program Files\QuickTime
2008-04-09 19:22 --------- d-----w C:\Program Files\ArcSoft
2008-04-09 19:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 04:58 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2008-04-08 19:42 --------- d-----w C:\Program Files\XoftSpySE
2008-04-08 19:32 --------- d-----w C:\Program Files\Coupons
2008-04-03 23:15 138,679 ----a-w C:\Program Files\INSTALL.LOG
2008-03-23 11:00 --------- d-----w C:\Program Files\LimeWire
2008-03-23 07:32 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-22 17:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 06:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-18 20:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-18 06:36 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2008-03-14 05:23 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-09 23:25 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-02-29 19:22 --------- d-----w C:\Program Files\Netflix
2008-02-29 05:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
2008-02-29 02:42 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 01:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2008-02-27 08:51 --------- d-----w C:\Program Files\Google
2008-02-27 08:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\StumbleUpon
2008-02-18 23:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-26 06:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2006-11-12 18:42 0 ----a-w C:\Program Files\Common Files\err.log
2006-09-19 18:10 1 -c--a-w C:\Documents and Settings\HP_Owner\SI.bin
2006-05-10 18:26 299 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\internaldb1942.dat
2006-01-26 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3306BE3C-9B61-485B-B71B-C8CDB57AB510}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34B93FE6-C4F0-47D3-8109-BDC311DB1918}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7434d8ce-7f10-4a99-bd5c-a17afbdeb399}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE2A0BC-B8DA-4E22-B28D-EBFF3558CBA4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C81CA391-6BF3-46A8-AA49-5DC6EBB90849}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 12:02 208946]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 23:05 160592]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-03 00:06 98304]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 04:13 118862]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 02:54 49152 C:\WINDOWS\system32\SiSPower.dll]
"CTHelper"="CTHELPER.EXE" [2003-11-14 04:18 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 11:00 45056]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 16:09 310000]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 14:04 99480]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-11-16 14:55 226224]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-25 18:08 185896]
"XoftSpySE"="C:\Program Files\XoftSpySE\xoftspy.exe" [2007-10-24 14:59 728576]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 05:13 49152 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlji]
pmnnlji.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 12:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-11-16 14:55 226224 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-11-16 14:55 86960 c:\progra~1\common~1\instal~1\update~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=

R2 ASP.NET SSL Service;ASP.NET SSL Service;"C:\WINDOWS\taskngr.exe" [2008-03-27 13:44]
R2 ckyqynqzzmscfpjt3l07jt;ckyqynqzzmscfpjt3l07jt;"C:\WINDOWS\system32\usnscv.exe" [2008-04-08 23:07]
R2 l65r3r5c0;l65r3r5c0;"C:\WINDOWS\system32\lcss.exe" [2008-03-22 01:34]
S2 aa0n58e3y7t3;aa0n58e3y7t3;"C:\WINDOWS\system32\svshost.exe" []
S2 is6y22l7i4j2;is6y22l7i4j2;"C:\WINDOWS\system32\svshost.exe" []
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2006-11-08 10:59]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 00:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 20:48:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-29 03:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-03-26 12:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2008-04-08 20:27:55 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-04-09 19:42:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-04-09 19:31:36 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-09 19:32:42 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 15:41:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 15:44:22
ComboFix-quarantined-files.txt 2008-04-09 19:44:04
ComboFix2.txt 2008-04-09 19:13:44
ComboFix3.txt 2008-03-25 12:40:41
ComboFix4.txt 2008-03-22 20:25:00
ComboFix5.txt 2008-01-06 18:45:43
Pre-Run: 8,260,345,856 bytes free
Post-Run: 8,250,105,856 bytes free
.
2008-03-12 22:47:48 --- E O F ---

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:52 PM

Posted 09 April 2008 - 06:24 PM

rvbeaumont, if you want my help you need to follow my instructions explicitly. There's no need to run Combofix more than once. You are just making this process more complicated than it needs to be. Please follow only the directions as I have given them and we will get your computer fixed up as soon as possible. Thanks.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users