Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • Please log in to reply
11 replies to this topic

#1 celtica

celtica

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 24 March 2008 - 08:15 PM

I've been doing battle with the Malware for the last couple of days, and I know I've gotten rid of some of it -the particularly nasty one that hijacked my desktop, among other things-, using SmitFraud. I'm still getting CiD popups though, so I'll probably have to go the nolop route. I'm posting my HijackThis log to ask if there's anything else dodgy in my machine that I'm not aware of, and if there is, how can I fix it? I think I still have something called 'dwnrpofk', at the least -haven't a clue what do do about that one.

Here's my Log, could someone please scan their eyes over this and see if there's anything nasty still lurking? Thanks in advance, much appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:12 p.m., on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: qvdntlmw - {3D5F91CB-4CEC-4AA8-BF5D-D7797DE45A4B} - C:\WINDOWS\qvdntlmw.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7847 bytes

Edited by celtica, 24 March 2008 - 08:16 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:49 AM

Posted 24 March 2008 - 10:02 PM

Please do the following:

Disable Spybot Search and Destroy TeaTimer as it may interfere with the accomplishment of the instructions that follow.
  • Open Spybot Search & Destroy
  • In the Mode menu click Advanced Mode, if not already selected.
  • Select: Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click: Resident
  • Uncheck the Resident TeaTimer (Protection of overall system settings) active.
  • In the File menu click Exit
Restart the computer!!

~~~~
Download SDFix

Save it to the Desktop
Right click SDFix.zip
Select: Extract All to extract it to its own folder

Now, reboot to Safe Mode
  • Restart your computer.
  • When the machine starts, tap the F8 key before Windows starts
  • You are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.
In Safe Mode, open the SDFix folder on the Desktop
  • Double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.
  • Press any key to restart the PC.
  • When the PC restarts the SDFix will run again and complete the removal process
  • It then displays Finished
  • Press any key to end the script and load the Desktop icons.
  • Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.
~~~~
Next, download ComboFix
Save to the Desktop <<< Important!!

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the SDFix Report.txt, the ComboFix log , and the new HijackThis log in your reply.

Old duck...


#3 celtica

celtica
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 25 March 2008 - 05:25 AM

Thanks for the help.


SDFix: Version 1.161

Run by Clare on Tue 25/03/2008 at 10:23 p.m.

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Clare\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\dwnrpofk.dll - Deleted
C:\WINDOWS\qvdntlmw.dll - Deleted
C:\WINDOWS\rs.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 22:38:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\Clare\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 15 Feb 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 15 Feb 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Finished!



ComboFix 08-03-24.2 - Clare 2008-03-25 23:00:46.1 - NTFSx86
Running from: C:\Documents and Settings\Clare\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
CF25668.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-25 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-25 "C:\Program Files\*"
CF25668.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
pv -kf -l"* pid.bat *"
CF25668.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-25 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-25 "C:\Program Files\*"
CF25668.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
CF25668.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 22:20 . 2008-03-25 22:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-24 13:56 . 2008-03-24 13:56 3,258 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-24 12:38 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-24 12:38 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-24 12:38 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-24 12:37 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-24 12:35 . 2008-03-24 12:35 <DIR> d-------- C:\Program Files\Sygate
2008-03-24 00:31 . 2008-03-24 00:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-23 19:44 . 2008-03-23 22:56 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-03-23 19:07 . 2008-03-23 19:07 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-23 19:02 . 2008-03-23 19:02 <DIR> d-------- C:\Documents and Settings\Clare\DesktopXsoft111
2008-03-23 18:51 . 2008-03-23 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zudmpqzy
2008-03-23 18:39 . 2008-03-23 18:39 <DIR> d-------- C:\Documents and Settings\Clare\DesktopXoftspy2
2008-03-23 17:44 . 2008-03-23 17:44 <DIR> d-------- C:\Documents and Settings\Clare\Application Data\SUPERAntiSpyware.com
2008-03-23 16:39 . 2008-03-23 16:39 <DIR> d-------- C:\Program Files\Monopoly
2008-03-23 16:39 . 1998-06-24 00:00 198,456 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-03-15 19:03 . 2008-03-15 19:03 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-13 09:09 . 2008-03-13 09:20 <DIR> d-------- C:\d47aca7847f8981a244401d92b
2008-03-08 16:20 . 2008-03-08 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 16:19 . 2008-03-23 17:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 16:09 . 2008-03-08 16:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 14:22 . 2008-03-08 14:56 <DIR> d-------- C:\Program Files\NoAdware5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 02:10 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-03-23 10:35 --------- d-----w C:\Program Files\CAM Development
2008-03-15 23:48 --------- d-----w C:\Program Files\Fairy Godmother Tycoon1
2008-03-08 10:45 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-08 03:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 02:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy1
2008-03-01 02:14 --------- d-----w C:\Program Files\Stitch
2008-03-01 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 02:11 --------- d-----w C:\Program Files\Family Tree Maker 2005
2008-03-01 02:10 --------- d-----w C:\Program Files\Democracy2 Demo
2008-02-19 04:17 --------- d-----w C:\Program Files\AltoMP3 Gold
2008-02-19 03:56 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-19 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-15 08:48 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-15 08:47 --------- d-----w C:\Program Files\Common Files\Real
2008-02-14 23:48 --------- d-----w C:\Program Files\Weight Commander
2008-02-09 06:34 --------- d-----w C:\Documents and Settings\Clare\Application Data\PlayFirst
2008-02-09 06:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 06:30 --------- d-----w C:\Program Files\MostFun
2008-02-09 06:14 --------- d-----w C:\Program Files\Chocolatier
2008-01-26 04:48 --------- d-----w C:\Program Files\DOSBox-0.72
2008-01-26 00:08 --------- d-----w C:\Documents and Settings\Clare\Application Data\Bait About List
2008-01-26 00:02 --------- d-----w C:\Program Files\Alwil Software
2008-01-25 03:59 --------- d-----w C:\Program Files\Valusoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 00:42 1404928]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-06 00:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-06 00:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-06 00:23 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 06:02 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05 127035]
"EPSON Stylus CX3700 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe" [2005-02-08 08:00 98304]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 02:00 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 21:46 185896]
"axis love poll lite"="C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe" [2008-03-25 22:50 1620992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-23 10:44:36 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 10:00:03 C:\WINDOWS\Tasks\AB9A71E194C9EB69.job"
- c:\docume~1\clare\applic~1\baitab~1\test beep sixth.exe
"2008-01-14 12:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-02-29 12:01:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-03-25 09:32:54 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-23 06:07:15 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 23:12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-25 23:18:22
ComboFix-quarantined-files.txt 2008-03-25 10:18:09
.
2008-03-12 20:20:48 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:09 p.m., on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8151 bytes

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:49 AM

Posted 25 March 2008 - 09:39 PM

Please disable Spybot Search and Destroy TeaTimer as it may interfere with the accomplishment of the instructions that follow.
  • Open Spybot Search & Destroy
  • In the Mode menu click Advanced Mode, if not already selected.
  • Select: Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click: Resident
  • Uncheck the Resident TeaTimer (Protection of overall system settings) active.
  • In the File menu click Exit
Restart the computer!!

~~~~
Next, download NoLop to the Desktop: http://www.thespykiller.co.uk/forum/index....tpmod;dl=item16
  • Close any programs you have running since a reboot is required
  • Double click NoLop.exe to run it
  • Next, click the button labeled: Search and Destroy
    <<your computer will now be scanned for infected files>>
  • When the scan finishes, if infected, you are prompted to reboot
  • Click OK
  • Now click: REBOOT
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

~~~~
Also launch Notepad (Start > Run > in the Open field type: notepad)
Copy/paste all the text in the code box below toNotepadt:

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h AB9A71E194C9EB69.job
del AB9A71E194C9EB69.job

In the Save as prompt:
Save in: Desktop
File Name: remjobs.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

On the Desktop, double click remjobs.bat
A DOS window opens and closes again. This is normal.

~~~
Please post the contents of C:\NoLop.log along with a new HijackThis log

Edited by Aaflac, 25 March 2008 - 09:47 PM.

Old duck...


#5 celtica

celtica
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 26 March 2008 - 05:06 AM

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Clare\Desktop
[26/03/2008]
[10:46:48 p.m.]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AB9A71E194C9EB69.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Administrator\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Each New Axis Love
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nch Swift Sound
C:\Documents and Settings\All Users\Application Data\Playfirst
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Udl
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Zudmpqzy
C:\Documents and Settings\Ann\Application Data\Bait About List -- EMPTY Directory
C:\Documents and Settings\Ann\Application Data\Cyberlink
C:\Documents and Settings\Ann\Application Data\Epson
C:\Documents and Settings\Ann\Application Data\Gtek
C:\Documents and Settings\Ann\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Ann\Application Data\Identities
C:\Documents and Settings\Ann\Application Data\Jasc Software Inc
C:\Documents and Settings\Ann\Application Data\Macromedia
C:\Documents and Settings\Ann\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Ann\Application Data\Microsoft
C:\Documents and Settings\Ann\Application Data\Mozilla
C:\Documents and Settings\Ann\Application Data\Real
C:\Documents and Settings\Ann\Application Data\Secondlife
C:\Documents and Settings\Ann\Application Data\Sun
C:\Documents and Settings\Ann\Application Data\Template
C:\Documents and Settings\Clare\Application Data\Adobe
C:\Documents and Settings\Clare\Application Data\Adobeum
C:\Documents and Settings\Clare\Application Data\Ambient Design
C:\Documents and Settings\Clare\Application Data\Arcsoft
C:\Documents and Settings\Clare\Application Data\Bait About List
C:\Documents and Settings\Clare\Application Data\Bittorrent
C:\Documents and Settings\Clare\Application Data\Cyberlink
C:\Documents and Settings\Clare\Application Data\Epson
C:\Documents and Settings\Clare\Application Data\Ftw
C:\Documents and Settings\Clare\Application Data\Fxfotodb
C:\Documents and Settings\Clare\Application Data\Google
C:\Documents and Settings\Clare\Application Data\Gtek
C:\Documents and Settings\Clare\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Clare\Application Data\Identities
C:\Documents and Settings\Clare\Application Data\Imvu
C:\Documents and Settings\Clare\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Clare\Application Data\Leadertech
C:\Documents and Settings\Clare\Application Data\Macromedia
C:\Documents and Settings\Clare\Application Data\Mcafee
C:\Documents and Settings\Clare\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Clare\Application Data\Microsoft
C:\Documents and Settings\Clare\Application Data\Mozilla
C:\Documents and Settings\Clare\Application Data\Neopets Toolbar
C:\Documents and Settings\Clare\Application Data\Pc Tools
C:\Documents and Settings\Clare\Application Data\Playfirst
C:\Documents and Settings\Clare\Application Data\Real
C:\Documents and Settings\Clare\Application Data\Secondlife
C:\Documents and Settings\Clare\Application Data\Securom
C:\Documents and Settings\Clare\Application Data\Soft-evolution
C:\Documents and Settings\Clare\Application Data\Sonic
C:\Documents and Settings\Clare\Application Data\Sun
C:\Documents and Settings\Clare\Application Data\Superantispyware.com
C:\Documents and Settings\Clare\Application Data\Template
C:\Documents and Settings\Clare\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:20 p.m., on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8200 bytes

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:49 AM

Posted 26 March 2008 - 08:16 AM

Please double-click ComboFix.exe to run the program once again.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Please provide the contents of the ComboFix log in your reply.

Edited by Aaflac, 26 March 2008 - 08:21 AM.

Old duck...


#7 celtica

celtica
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 26 March 2008 - 06:53 PM

ComboFix 08-03-24.2 - Clare 2008-03-27 12:35:11.2 - NTFSx86
Running from: C:\Documents and Settings\Clare\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
pv -kf -l"* pid.bat *"
CF9148.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*"
CF9148.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
CF9148.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*"
CF9148.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 22:49 . 2008-03-26 22:52 <DIR> d-------- C:\NoLopBackups
2008-03-25 22:20 . 2008-03-25 22:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-24 13:56 . 2008-03-24 13:56 3,258 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-24 12:38 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-24 12:38 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-24 12:38 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-24 12:37 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-24 12:35 . 2008-03-24 12:35 <DIR> d-------- C:\Program Files\Sygate
2008-03-24 00:31 . 2008-03-24 00:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-23 19:44 . 2008-03-23 22:56 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-03-23 19:07 . 2008-03-23 19:07 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-23 19:02 . 2008-03-23 19:02 <DIR> d-------- C:\Documents and Settings\Clare\DesktopXsoft111
2008-03-23 18:51 . 2008-03-23 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zudmpqzy
2008-03-23 18:39 . 2008-03-23 18:39 <DIR> d-------- C:\Documents and Settings\Clare\DesktopXoftspy2
2008-03-23 17:44 . 2008-03-23 17:44 <DIR> d-------- C:\Documents and Settings\Clare\Application Data\SUPERAntiSpyware.com
2008-03-23 16:39 . 2008-03-23 16:39 <DIR> d-------- C:\Program Files\Monopoly
2008-03-23 16:39 . 1998-06-24 00:00 198,456 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-03-15 19:03 . 2008-03-15 19:03 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-13 09:09 . 2008-03-13 09:20 <DIR> d-------- C:\d47aca7847f8981a244401d92b
2008-03-08 16:20 . 2008-03-08 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 16:19 . 2008-03-23 17:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 16:09 . 2008-03-08 16:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 14:22 . 2008-03-08 14:56 <DIR> d-------- C:\Program Files\NoAdware5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 02:10 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-03-23 10:35 --------- d-----w C:\Program Files\CAM Development
2008-03-15 23:48 --------- d-----w C:\Program Files\Fairy Godmother Tycoon1
2008-03-08 10:45 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-08 03:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 02:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy1
2008-03-01 02:14 --------- d-----w C:\Program Files\Stitch
2008-03-01 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 02:11 --------- d-----w C:\Program Files\Family Tree Maker 2005
2008-03-01 02:10 --------- d-----w C:\Program Files\Democracy2 Demo
2008-02-19 04:17 --------- d-----w C:\Program Files\AltoMP3 Gold
2008-02-19 03:56 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-19 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-15 08:48 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-15 08:47 --------- d-----w C:\Program Files\Common Files\Real
2008-02-14 23:48 --------- d-----w C:\Program Files\Weight Commander
2008-02-09 06:34 --------- d-----w C:\Documents and Settings\Clare\Application Data\PlayFirst
2008-02-09 06:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 06:30 --------- d-----w C:\Program Files\MostFun
2008-02-09 06:14 --------- d-----w C:\Program Files\Chocolatier
2008-01-26 04:48 --------- d-----w C:\Program Files\DOSBox-0.72
2008-01-26 00:08 --------- d-----w C:\Documents and Settings\Clare\Application Data\Bait About List
2008-01-26 00:02 --------- d-----w C:\Program Files\Alwil Software
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_23.17.25.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-25 06:36:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-26 23:18:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-25 06:36:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-26 23:18:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-25 06:36:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-26 23:18:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-26 09:52:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_614.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 00:42 1404928]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-06 00:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-06 00:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-06 00:23 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 06:02 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05 127035]
"EPSON Stylus CX3700 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe" [2005-02-08 08:00 98304]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 02:00 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 21:46 185896]
"axis love poll lite"="C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe" [2008-03-26 22:56 1620992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-23 10:44:36 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 12:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-02-29 12:01:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-03-26 09:52:59 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-23 06:07:15 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 12:44:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-27 12:49:25
ComboFix-quarantined-files.txt 2008-03-26 23:49:14
ComboFix2.txt 2008-03-25 10:18:24
.
2008-03-12 20:20:48 --- E O F ---

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:49 AM

Posted 26 March 2008 - 08:08 PM

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste the text inside the code box below to Notepad:

Folder:: 
C:\Documents and Settings\Clare\Application Data\Bait About List
C:\Documents and Settings\All Users\Application Data\each new axis love

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"axis love poll lite"=-


Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply.


Also, let us know if you are still having malware problems?

Old duck...


#9 celtica

celtica
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 27 March 2008 - 04:25 AM

Here are the latest ComboFix and HijackThis logs. At the moment -since I logged in 45 min ago-, I don't seem to be getting anything malware related happening, however I had one CiD popup last night, after I posted at 05:06 AM server time. Nothing since, so far (cross fingers...).

And to the Logs:

ComboFix 08-03-24.2 - Clare 2008-03-27 21:54:51.3 - NTFSx86
Running from: C:\Documents and Settings\Clare\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Clare\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
CF20361.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\each new axis love
C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe
C:\Documents and Settings\Clare\Application Data\Bait About List
C:\Documents and Settings\Clare\Application Data\Bait About List\0
C:\Documents and Settings\Clare\Application Data\Bait About List\fyvmyefl.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 22:49 . 2008-03-26 22:52 <DIR> d-------- C:\NoLopBackups
2008-03-25 22:20 . 2008-03-25 22:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-24 13:56 . 2008-03-24 13:56 3,258 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-24 12:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-24 12:38 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-24 12:38 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-24 12:38 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-24 12:37 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-24 12:35 . 2008-03-24 12:35 <DIR> d-------- C:\Program Files\Sygate
2008-03-24 00:31 . 2008-03-24 00:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-23 19:44 . 2008-03-23 22:56 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-03-23 19:07 . 2008-03-23 19:07 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-23 19:02 . 2008-03-23 19:02 <DIR> d-------- C:\Documents and Settings\Clare\DesktopXsoft111
2008-03-23 18:51 . 2008-03-23 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zudmpqzy
2008-03-23 18:39 . 2008-03-23 18:39 <DIR> d-------- C:\Documents and Settings\Clare\DesktopXoftspy2
2008-03-23 17:44 . 2008-03-23 17:44 <DIR> d-------- C:\Documents and Settings\Clare\Application Data\SUPERAntiSpyware.com
2008-03-23 16:39 . 2008-03-23 16:39 <DIR> d-------- C:\Program Files\Monopoly
2008-03-23 16:39 . 1998-06-24 00:00 198,456 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-03-15 19:03 . 2008-03-15 19:03 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-13 09:09 . 2008-03-13 09:20 <DIR> d-------- C:\d47aca7847f8981a244401d92b
2008-03-08 16:20 . 2008-03-08 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 16:19 . 2008-03-23 17:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 16:09 . 2008-03-08 16:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 14:22 . 2008-03-08 14:56 <DIR> d-------- C:\Program Files\NoAdware5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 02:10 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-03-23 10:35 --------- d-----w C:\Program Files\CAM Development
2008-03-15 23:48 --------- d-----w C:\Program Files\Fairy Godmother Tycoon1
2008-03-08 10:45 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-08 03:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 02:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy1
2008-03-01 02:14 --------- d-----w C:\Program Files\Stitch
2008-03-01 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 02:11 --------- d-----w C:\Program Files\Family Tree Maker 2005
2008-03-01 02:10 --------- d-----w C:\Program Files\Democracy2 Demo
2008-02-19 04:17 --------- d-----w C:\Program Files\AltoMP3 Gold
2008-02-19 03:56 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-19 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-15 08:48 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-15 08:47 --------- d-----w C:\Program Files\Common Files\Real
2008-02-14 23:48 --------- d-----w C:\Program Files\Weight Commander
2008-02-09 06:34 --------- d-----w C:\Documents and Settings\Clare\Application Data\PlayFirst
2008-02-09 06:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 06:30 --------- d-----w C:\Program Files\MostFun
2008-02-09 06:14 --------- d-----w C:\Program Files\Chocolatier
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_23.17.25.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-25 06:36:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-27 08:48:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-25 06:36:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-27 08:48:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-25 06:36:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-27 08:48:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-26 09:52:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_614.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 00:42 1404928]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-06 00:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-06 00:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-06 00:23 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 06:02 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05 127035]
"EPSON Stylus CX3700 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe" [2005-02-08 08:00 98304]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 02:00 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 21:46 185896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-23 10:44:36 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 12:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-02-29 12:01:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-03-27 04:00:02 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-23 06:07:15 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 22:02:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-27 22:06:00
ComboFix-quarantined-files.txt 2008-03-27 09:05:52
ComboFix2.txt 2008-03-26 23:49:26
ComboFix3.txt 2008-03-25 10:18:24
.
2008-03-12 20:20:48 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17, on 2008-03-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8140 bytes

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:49 AM

Posted 27 March 2008 - 09:13 PM

Run HijackThis, Scan
Check box for:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Love bib.exe

Select: Fix checked

~~~~
It appears you are running more than one AntiVirus program: McAfee and avast!

This is not a good idea. Having more than one of these programs active in memory opens the door to potential conflicts between the programs, uses additional resources, and may result in diminished detection capabilities, or cause false virus alerts.

The best thing to do is uninstall one of the AV programs and let the one you choose to keep do its job.

To uninstall whichever program you do not want to keep:

Go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and uninstall the program you do not want to keep by selecting the entry and clicking on Remove:

Next, search for and delete the folder related to the program. It should be in:
C:\Program Files\

Then, restart the computer.

~~~~
Next, please download Malwarebytes' Anti-Malware (MBAM)
Save the program to the Desktop
Close all Windows, including this one. (Print the instructions first)

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts
  • If an update is found, MBAM will download and install the latest.
  • Click OK
At the main program window
  • Make sure the following is checked: Perform Quick Scan
  • Click: Scan (The scan may take some time to finish, so please be patient.)
  • When the scan completes, a message box appears as shown in the image below:
    Posted Image
  • Click OK
At the main Scanner screen:
  • Click on: Show Results
  • A screen displaying the malware found shows as seen in the image below. (Results may be different.)
    Posted Image
  • Make sure everything found is checked, and click: Remove Selected
  • When the disinfection is complete, you may be prompted to Restart. Please do so.
  • When MBAM finishes removing the malware, a log opens in Notepad
  • The log is automatically saved and can be viewed by clicking the Logs tab.
~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the MBAM report, and a new HijackThis log in your reply.

Old duck...


#11 celtica

celtica
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 28 March 2008 - 05:00 AM

I uninstalled McAfee. I knew about the potential conflicts of running two AV programs, but because McAfee cost quite a bit, I felt guilty about deleting it, even though it was awful. Every time it auto-updated it'd slow the computer down to a crawl, and freeze everything intermittently, and it let all this junk through even though it was auto-updated and running on auto-protection all the time. What a waste of money. I got Avast! because McAfee wasn't doing its' job. At all. It picks up lots that McAfee just merrily let through. The computer seems to be running more smoothly now, without the momentary(up to 30 second) freezes. I really do appreciate your help, the computer is much faster, and isn't doing (so many) weird things like it was.

Here are the newest logs:

Malwarebytes' Anti-Malware 1.09
Database version: 507

Scan type: Quick Scan
Objects scanned: 30561
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47, on 2008-03-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~3\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6371 bytes

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:49 AM

Posted 28 March 2008 - 08:51 AM

Posted Image

The HijackThis log looks fine. Just one McAfee entry…

Run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

Select: Fix checked

~~~~
Java is out of date. Older versions have vulnerabilities that malware can use to infect the system.
Please update your version of Java as follows:

Go to Start > Control Panel > Add/Remove Programs
In the list of Currently Installed Programs, look for all previous versions of Java:
J2SE Runtime Environment number x, etc.
Select each entry and then Remove

Next, download and install the newest version:
Java Runtime Environment (JRE) 6 Update 5



~~~~
If you are not having malware problems, you are good to go!

Please do the following to wrap up:
  • Go to Start, then select: Run
  • Type Combofix /u in the Open box, and click OK. (Notice the space before /u)
    Posted Image
  • This command uninstalls ComboFix, implements some cleanup procedures, and resets System Restore points.
Also remove:
C:\Documents and Settings\Clare\Desktop\SDFix



Some of the best suggestions and programs to remain malware free are contained in Tony Klein’s article:
How Did I Get Infected In The First Place

It is also a very good practice to perform an online virus scan on a regular basis.
Scanners do not have identical malware definitions, and what one misses, another one can catch.
Some of the scanners are:
BitDefender Online Scanner
ESET NOD32 Online Scanner
F-Secure Online Scanner
Panda ActiveScan
TrendMicro HouseCall

~~~~
If you have any questions or comments, post back. Otherwise...

Good luck, and safe journey through the Internet!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users