Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Hijacked, Computer Very Slow, Need Help


  • This topic is locked This topic is locked
21 replies to this topic

#1 polyav

polyav

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 25 March 2008 - 08:40 PM

Hi,
My son downloaded a file last week and installed it on our pc. This is when all of the problems started.
The desktop background disappeared, instead there was this: Security Warning: .....,
also keep getting an error every time windows loads: Run-time error '339':
Component 'MSWINSCK.OCX' or one of its dependencies not correctly registered: a file is missing or invalid.

We keep getting popups telling us to go to the websites. Windows is loading very slow and I can't use IE, it's not loading
websites.
We also keep getting blue screens with no error messages on them.
This is what I have installed for protection: Symantec Antivirus Version 9, Windows Defender and Router firewall.
Here is the list of things I did so far:
Scan with Antivirus (found 1 virus), scanned with windows defender (found nothing),
scanned with SuperAntiSpyware with latest definitions in safe mode, scanned with AVG Anti Spyware in safe mode.
both of the tools found a lot of problems 700+, fixed all of them.

I need some help,
thank you

Here is the LOG from HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:56 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\perfmonss.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\windows\system\Update.exe
C:\WINDOWS\system32\regsvr32.exe
C:\windows\system\Update.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Tray Tools\atitray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2beacc78-1dd2-11b2-a54a-904608489bac} - C:\WINDOWS\nwhujehe.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKLM\..\Run: [tapmlkli] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tapmlkli.dll"
O4 - HKLM\..\Run: [IMprocess] C:\DOCUME~1\victor\LOCALS~1\Temp\IMAdvertiser.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BMdf6eff53] Rundll32.exe "C:\WINDOWS\system32\ayfgiyqu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Download Master] C:\Program Files\Download Master\dmaster.exe -autorun
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159840230030
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159850576546
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp...PUS/Coupons.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter hijack: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfmonss.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11089 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 26 March 2008 - 06:30 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 26 March 2008 - 07:08 AM

thank you
here is the log

ComboFix 08-03-25.4 - victor 2008-03-26 7:56:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.358 [GMT -4:00]
Running from: C:\Documents and Settings\victor\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\#SharedObjects\SCA3269M\www.broadcaster.com
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\#SharedObjects\SCA3269M\www.broadcaster.com\played_list.sol
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\#SharedObjects\SCA3269M\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\#SharedObjects\PVXKHFLZ\www.broadcaster.com
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\#SharedObjects\PVXKHFLZ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\#SharedObjects\PVXKHFLZ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\pcast
C:\Program Files\pcast\news.Sel
C:\WINDOWS\2020search2.dll
C:\WINDOWS\BMdf6eff53.xml
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\ayfgiyqu.dll
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_perfmons
-------\Service_Routing


((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp4_239911509875.bk
2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp3_568143380774.bk
2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp1_868532810858.bk
2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp0_18975577205.bk
2008-03-25 21:46 . 2008-03-25 21:53 <DIR> d-------- C:\Documents and Settings\victor\.housecall6.6
2008-03-25 21:22 . 2008-03-25 21:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp4_258519349818.bk
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp3_793961360992.bk
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp1_543491677370.bk
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp0_388164871291.bk
2008-03-25 00:01 . 2008-03-25 00:01 68 --a------ C:\WINDOWS\system32\tmp4_263044261275.bk
2008-03-25 00:00 . 2008-03-25 00:00 68 --a------ C:\WINDOWS\system32\tmp3_422459565909.bk
2008-03-25 00:00 . 2008-03-25 00:00 68 --a------ C:\WINDOWS\system32\tmp1_19501197492.bk
2008-03-25 00:00 . 2008-03-25 00:00 68 --a------ C:\WINDOWS\system32\tmp0_151568504564.bk
2008-03-24 22:47 . 2008-03-24 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 21:23 . 2008-03-24 22:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\victor\Application Data\SUPERAntiSpyware.com
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-24 21:08 . 2008-03-24 21:08 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-24 21:08 . 2008-03-24 21:08 <DIR> d-------- C:\Program Files\180search assistant
2008-03-24 19:17 . 2008-03-24 19:17 68 --a------ C:\WINDOWS\system32\tmp4_516811173816.bk
2008-03-24 19:17 . 2008-03-24 19:17 68 --a------ C:\WINDOWS\system32\tmp3_825464734503.bk
2008-03-24 19:16 . 2008-03-24 19:16 68 --a------ C:\WINDOWS\system32\tmp1_750920219694.bk
2008-03-24 19:16 . 2008-03-24 19:16 68 --a------ C:\WINDOWS\system32\tmp0_565572773559.bk
2008-03-24 00:02 . 2008-03-24 00:02 68 --a------ C:\WINDOWS\system32\tmp4_598583517610.bk
2008-03-24 00:01 . 2008-03-24 00:01 68 --a------ C:\WINDOWS\system32\tmp1_201065333339.bk
2008-03-24 00:01 . 2008-03-24 00:01 68 --a------ C:\WINDOWS\system32\tmp0_710224585159.bk
2008-03-23 23:12 . 2008-03-23 23:12 <DIR> d-------- C:\Documents and Settings\grisha\Application Data\Grisoft
2008-03-23 21:00 . 2008-03-24 19:34 2,848 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\victor\Application Data\Grisoft
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 20:51 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-23 20:30 . 2008-03-23 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-23 19:40 . 2008-03-24 22:37 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-23 19:40 . 2008-03-23 19:40 <DIR> d-------- C:\Program Files\stc
2008-03-23 19:40 . 2008-03-23 19:40 29,696 --a------ C:\WINDOWS\msa64chk.dll
2008-03-23 19:40 . 2008-03-23 19:40 26,624 --a------ C:\WINDOWS\didduid.ini
2008-03-23 19:40 . 2008-03-23 19:40 26,368 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-23 19:40 . 2008-03-23 19:40 23,552 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-23 19:40 . 2008-03-23 19:40 18,944 --a------ C:\WINDOWS\123messenger.per
2008-03-23 19:40 . 2008-03-23 19:40 13,568 --a------ C:\WINDOWS\msapasrc.dll
2008-03-23 19:39 . 2008-03-23 19:39 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-23 19:28 . 2008-03-23 19:28 68 --a------ C:\WINDOWS\system32\tmp0_827624399537.bk
2008-03-23 19:27 . 2008-03-23 19:27 3,806,230 --a------ C:\WINDOWS\jkWiMDVyxA.exe
2008-03-23 19:27 . 2008-03-23 19:27 64,000 --a------ C:\WINDOWS\nwhujehe.dll
2008-03-23 19:27 . 2008-03-23 19:27 64,000 --a------ C:\Documents and Settings\All Users\Application Data\tapmlkli.dll
2008-03-23 19:27 . 2008-03-23 19:27 46,080 --a------ C:\WINDOWS\clqvcvcj.exe
2008-03-23 19:26 . 2008-03-23 19:28 <DIR> d-------- C:\Program Files\Bat
2008-03-23 19:26 . 2008-03-26 08:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 19:26 . 2007-09-13 18:36 126,464 --a------ C:\WINDOWS\2.exe
2008-03-23 19:26 . 2008-03-23 19:26 0 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-03-22 10:06 . 2008-03-22 10:06 <DIR> d-------- C:\unetbootin
2008-03-10 20:29 . 2008-03-10 20:29 786,432 ---h----- C:\WINDOWS\system\Update.exe
2008-03-06 23:09 . 2008-03-13 20:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 23:09 . 2008-03-06 23:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 22:38 . 2008-03-01 22:38 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 22:38 . 2008-03-01 22:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 12:00 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-26 11:54 --------- d-----w C:\Documents and Settings\victor\Application Data\DMCache
2008-03-25 02:47 --------- d-----w C:\Program Files\Lavasoft
2008-03-25 02:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 21:30 --------- d-----w C:\Documents and Settings\victor\Application Data\BitTorrent
2008-03-23 20:48 --------- d-----w C:\Program Files\BitTorrent
2008-03-13 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-05 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-05 14:28 --------- d-----w C:\Documents and Settings\victor\Application Data\Canon
2008-03-05 14:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 14:27 --------- d-----w C:\Program Files\TVAnts
2008-03-05 14:27 --------- d-----w C:\Program Files\TrackMania United
2008-03-05 14:27 --------- d-----w C:\Program Files\GameShadow
2008-03-05 14:27 --------- d-----w C:\Program Files\eXtreme Movie Manager
2008-02-18 22:24 --------- d-----w C:\Documents and Settings\victor\Application Data\Intuit
2008-02-16 14:19 --------- d-----w C:\Program Files\Emerald Editor Community
2008-02-02 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-01-31 03:08 --------- d-----w C:\Documents and Settings\victor\Application Data\Vso
2008-01-31 00:27 --------- d-----w C:\Documents and Settings\grisha\Application Data\CyberLink
2008-01-30 01:20 --------- d-----w C:\Documents and Settings\grisha\Application Data\BitTorrent
2008-01-26 13:56 --------- d-----w C:\Program Files\StormII
2008-01-26 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Storm
2008-01-04 23:32 87,608 ----a-w C:\Documents and Settings\victor\Application Data\inst.exe
2008-01-04 23:32 47,360 ----a-w C:\Documents and Settings\victor\Application Data\pcouffin.sys
2008-01-04 23:30 87,608 ----a-w C:\Documents and Settings\victor\Application Data\ezpinst.exe
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-01-19 11:38 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2beacc78-1dd2-11b2-a54a-904608489bac}]
2008-03-23 19:27 64000 --a------ C:\WINDOWS\nwhujehe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Download Master"="C:\Program Files\Download Master\dmaster.exe" [ ]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]
"AtiTrayTools"="C:\Program Files\ATI Tray Tools\atitray.exe" [2007-05-22 05:04 521128]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-04-07 08:49 892672]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"Windows Updates"="c:\windows\system\Update.exe" [2008-03-10 20:29 786432]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"Windows Updates"="c:\windows\system\Update.exe" [2008-03-10 20:29 786432]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
"1041:TCP"= 1041:TCP:DC++
"1041:UDP"= 1041:UDP:DC++
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-08-23 12:10]
R1 atitray;atitray;C:\Program Files\ATI Tray Tools\atitray.sys [2007-05-22 05:04]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2005-11-03 10:52]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2005-11-03 10:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d1b8f95-6d36-11db-a699-000129d2927b}]
\Shell\AutoRun\command - J:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 12:03:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 08:04:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Windows Updates"="c:\\windows\\system\\Update.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"="c:\\windows\\system\\Update.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-26 8:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 12:05:54
.
2008-03-24 01:09:07 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 26 March 2008 - 06:48 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
C:\Program Files\stc
C:\Program Files\Sysmnt
C:\Program Files\Bat

File::
C:\WINDOWS\system32\tmp4_239911509875.bk
C:\WINDOWS\system32\tmp3_568143380774.bk
C:\WINDOWS\system32\tmp1_868532810858.bk
C:\WINDOWS\system32\tmp0_18975577205.bk
C:\WINDOWS\system32\tmp4_258519349818.bk
C:\WINDOWS\system32\tmp3_793961360992.bk
C:\WINDOWS\system32\tmp1_543491677370.bk
C:\WINDOWS\system32\tmp0_388164871291.bk
C:\WINDOWS\system32\tmp4_263044261275.bk
C:\WINDOWS\system32\tmp3_422459565909.bk
C:\WINDOWS\system32\tmp1_19501197492.bk
C:\WINDOWS\system32\tmp0_151568504564.bk
C:\WINDOWS\system32\tmp4_516811173816.bk
C:\WINDOWS\system32\tmp3_825464734503.bk
C:\WINDOWS\system32\tmp1_750920219694.bk
C:\WINDOWS\system32\tmp0_565572773559.bk
C:\WINDOWS\system32\tmp4_598583517610.bk
C:\WINDOWS\system32\tmp1_201065333339.bk
C:\WINDOWS\system32\tmp0_710224585159.bk
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\123messenger.per
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\system32\tmp0_827624399537.bk
C:\WINDOWS\jkWiMDVyxA.exe
C:\WINDOWS\nwhujehe.dll
C:\Documents and Settings\All Users\Application Data\tapmlkli.dll
C:\WINDOWS\clqvcvcj.exe
C:\WINDOWS\2.exe
C:\WINDOWS\system\Update.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2beacc78-1dd2-11b2-a54a-904608489bac}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 26 March 2008 - 09:38 PM

I followed the instructions, combofix starts, it goes through the first two steps(Scanning for infected files and ComboFix has
changed your clock settings), after that it gets stuck on the Deleting Files/Folders step. I tried it two times and it got stuck at this step. (computer is not freezing, but it doesn't go through this step)
thanks

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 27 March 2008 - 07:02 AM

Look for a log named Combofix2.txt and post it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 27 March 2008 - 05:06 PM

ComboFix 08-03-25.4 - victor 2008-03-26 7:56:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.358 [GMT -4:00]
Running from: C:\Documents and Settings\victor\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\#SharedObjects\SCA3269M\www.broadcaster.com
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\#SharedObjects\SCA3269M\www.broadcaster.com\played_list.sol
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\#SharedObjects\SCA3269M\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\grisha\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\#SharedObjects\PVXKHFLZ\www.broadcaster.com
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\#SharedObjects\PVXKHFLZ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\#SharedObjects\PVXKHFLZ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\victor\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\pcast
C:\Program Files\pcast\news.Sel
C:\WINDOWS\2020search2.dll
C:\WINDOWS\BMdf6eff53.xml
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\ayfgiyqu.dll
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_perfmons
-------\Service_Routing


((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp4_239911509875.bk
2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp3_568143380774.bk
2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp1_868532810858.bk
2008-03-26 00:01 . 2008-03-26 00:01 68 --a------ C:\WINDOWS\system32\tmp0_18975577205.bk
2008-03-25 21:46 . 2008-03-25 21:53 <DIR> d-------- C:\Documents and Settings\victor\.housecall6.6
2008-03-25 21:22 . 2008-03-25 21:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp4_258519349818.bk
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp3_793961360992.bk
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp1_543491677370.bk
2008-03-25 11:31 . 2008-03-25 11:31 68 --a------ C:\WINDOWS\system32\tmp0_388164871291.bk
2008-03-25 00:01 . 2008-03-25 00:01 68 --a------ C:\WINDOWS\system32\tmp4_263044261275.bk
2008-03-25 00:00 . 2008-03-25 00:00 68 --a------ C:\WINDOWS\system32\tmp3_422459565909.bk
2008-03-25 00:00 . 2008-03-25 00:00 68 --a------ C:\WINDOWS\system32\tmp1_19501197492.bk
2008-03-25 00:00 . 2008-03-25 00:00 68 --a------ C:\WINDOWS\system32\tmp0_151568504564.bk
2008-03-24 22:47 . 2008-03-24 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 21:23 . 2008-03-24 22:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\victor\Application Data\SUPERAntiSpyware.com
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-24 21:08 . 2008-03-24 21:08 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-24 21:08 . 2008-03-24 21:08 <DIR> d-------- C:\Program Files\180search assistant
2008-03-24 19:17 . 2008-03-24 19:17 68 --a------ C:\WINDOWS\system32\tmp4_516811173816.bk
2008-03-24 19:17 . 2008-03-24 19:17 68 --a------ C:\WINDOWS\system32\tmp3_825464734503.bk
2008-03-24 19:16 . 2008-03-24 19:16 68 --a------ C:\WINDOWS\system32\tmp1_750920219694.bk
2008-03-24 19:16 . 2008-03-24 19:16 68 --a------ C:\WINDOWS\system32\tmp0_565572773559.bk
2008-03-24 00:02 . 2008-03-24 00:02 68 --a------ C:\WINDOWS\system32\tmp4_598583517610.bk
2008-03-24 00:01 . 2008-03-24 00:01 68 --a------ C:\WINDOWS\system32\tmp1_201065333339.bk
2008-03-24 00:01 . 2008-03-24 00:01 68 --a------ C:\WINDOWS\system32\tmp0_710224585159.bk
2008-03-23 23:12 . 2008-03-23 23:12 <DIR> d-------- C:\Documents and Settings\grisha\Application Data\Grisoft
2008-03-23 21:00 . 2008-03-24 19:34 2,848 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\victor\Application Data\Grisoft
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 20:51 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-23 20:30 . 2008-03-23 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-23 19:40 . 2008-03-24 22:37 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-23 19:40 . 2008-03-23 19:40 <DIR> d-------- C:\Program Files\stc
2008-03-23 19:40 . 2008-03-23 19:40 29,696 --a------ C:\WINDOWS\msa64chk.dll
2008-03-23 19:40 . 2008-03-23 19:40 26,624 --a------ C:\WINDOWS\didduid.ini
2008-03-23 19:40 . 2008-03-23 19:40 26,368 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-23 19:40 . 2008-03-23 19:40 23,552 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-23 19:40 . 2008-03-23 19:40 18,944 --a------ C:\WINDOWS\123messenger.per
2008-03-23 19:40 . 2008-03-23 19:40 13,568 --a------ C:\WINDOWS\msapasrc.dll
2008-03-23 19:39 . 2008-03-23 19:39 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-23 19:28 . 2008-03-23 19:28 68 --a------ C:\WINDOWS\system32\tmp0_827624399537.bk
2008-03-23 19:27 . 2008-03-23 19:27 3,806,230 --a------ C:\WINDOWS\jkWiMDVyxA.exe
2008-03-23 19:27 . 2008-03-23 19:27 64,000 --a------ C:\WINDOWS\nwhujehe.dll
2008-03-23 19:27 . 2008-03-23 19:27 64,000 --a------ C:\Documents and Settings\All Users\Application Data\tapmlkli.dll
2008-03-23 19:27 . 2008-03-23 19:27 46,080 --a------ C:\WINDOWS\clqvcvcj.exe
2008-03-23 19:26 . 2008-03-23 19:28 <DIR> d-------- C:\Program Files\Bat
2008-03-23 19:26 . 2008-03-26 08:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 19:26 . 2007-09-13 18:36 126,464 --a------ C:\WINDOWS\2.exe
2008-03-23 19:26 . 2008-03-23 19:26 0 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-03-22 10:06 . 2008-03-22 10:06 <DIR> d-------- C:\unetbootin
2008-03-10 20:29 . 2008-03-10 20:29 786,432 ---h----- C:\WINDOWS\system\Update.exe
2008-03-06 23:09 . 2008-03-13 20:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 23:09 . 2008-03-06 23:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 22:38 . 2008-03-01 22:38 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 22:38 . 2008-03-01 22:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 12:00 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-26 11:54 --------- d-----w C:\Documents and Settings\victor\Application Data\DMCache
2008-03-25 02:47 --------- d-----w C:\Program Files\Lavasoft
2008-03-25 02:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 21:30 --------- d-----w C:\Documents and Settings\victor\Application Data\BitTorrent
2008-03-23 20:48 --------- d-----w C:\Program Files\BitTorrent
2008-03-13 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-05 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-05 14:28 --------- d-----w C:\Documents and Settings\victor\Application Data\Canon
2008-03-05 14:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 14:27 --------- d-----w C:\Program Files\TVAnts
2008-03-05 14:27 --------- d-----w C:\Program Files\TrackMania United
2008-03-05 14:27 --------- d-----w C:\Program Files\GameShadow
2008-03-05 14:27 --------- d-----w C:\Program Files\eXtreme Movie Manager
2008-02-18 22:24 --------- d-----w C:\Documents and Settings\victor\Application Data\Intuit
2008-02-16 14:19 --------- d-----w C:\Program Files\Emerald Editor Community
2008-02-02 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-01-31 03:08 --------- d-----w C:\Documents and Settings\victor\Application Data\Vso
2008-01-31 00:27 --------- d-----w C:\Documents and Settings\grisha\Application Data\CyberLink
2008-01-30 01:20 --------- d-----w C:\Documents and Settings\grisha\Application Data\BitTorrent
2008-01-26 13:56 --------- d-----w C:\Program Files\StormII
2008-01-26 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Storm
2008-01-04 23:32 87,608 ----a-w C:\Documents and Settings\victor\Application Data\inst.exe
2008-01-04 23:32 47,360 ----a-w C:\Documents and Settings\victor\Application Data\pcouffin.sys
2008-01-04 23:30 87,608 ----a-w C:\Documents and Settings\victor\Application Data\ezpinst.exe
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-01-19 11:38 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2beacc78-1dd2-11b2-a54a-904608489bac}]
2008-03-23 19:27 64000 --a------ C:\WINDOWS\nwhujehe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Download Master"="C:\Program Files\Download Master\dmaster.exe" [ ]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]
"AtiTrayTools"="C:\Program Files\ATI Tray Tools\atitray.exe" [2007-05-22 05:04 521128]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-04-07 08:49 892672]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"Windows Updates"="c:\windows\system\Update.exe" [2008-03-10 20:29 786432]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"Windows Updates"="c:\windows\system\Update.exe" [2008-03-10 20:29 786432]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
"1041:TCP"= 1041:TCP:DC++
"1041:UDP"= 1041:UDP:DC++
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-08-23 12:10]
R1 atitray;atitray;C:\Program Files\ATI Tray Tools\atitray.sys [2007-05-22 05:04]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2005-11-03 10:52]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2005-11-03 10:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d1b8f95-6d36-11db-a699-000129d2927b}]
\Shell\AutoRun\command - J:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 12:03:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 08:04:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Windows Updates"="c:\\windows\\system\\Update.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"="c:\\windows\\system\\Update.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-26 8:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 12:05:54
.
2008-03-24 01:09:07 --- E O F ---

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 27 March 2008 - 05:17 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\180searchassistant
    C:\Program Files\180search assistant
    C:\WINDOWS\FLEOK
    C:\Program Files\stc
    C:\Program Files\Sysmnt
    C:\Program Files\Bat
    C:\WINDOWS\system32\tmp4_239911509875.bk
    C:\WINDOWS\system32\tmp3_568143380774.bk
    C:\WINDOWS\system32\tmp1_868532810858.bk
    C:\WINDOWS\system32\tmp0_18975577205.bk
    C:\WINDOWS\system32\tmp4_258519349818.bk
    C:\WINDOWS\system32\tmp3_793961360992.bk
    C:\WINDOWS\system32\tmp1_543491677370.bk
    C:\WINDOWS\system32\tmp0_388164871291.bk
    C:\WINDOWS\system32\tmp4_263044261275.bk
    C:\WINDOWS\system32\tmp3_422459565909.bk
    C:\WINDOWS\system32\tmp1_19501197492.bk
    C:\WINDOWS\system32\tmp0_151568504564.bk
    C:\WINDOWS\system32\tmp4_516811173816.bk
    C:\WINDOWS\system32\tmp3_825464734503.bk
    C:\WINDOWS\system32\tmp1_750920219694.bk
    C:\WINDOWS\system32\tmp0_565572773559.bk
    C:\WINDOWS\system32\tmp4_598583517610.bk
    C:\WINDOWS\system32\tmp1_201065333339.bk
    C:\WINDOWS\system32\tmp0_710224585159.bk
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\didduid.ini
    C:\WINDOWS\system32\SIPSPI32.dll
    C:\WINDOWS\system32\MSNSA32.dll
    C:\WINDOWS\123messenger.per
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\system32\tmp0_827624399537.bk
    C:\WINDOWS\jkWiMDVyxA.exe
    C:\WINDOWS\nwhujehe.dll
    C:\Documents and Settings\All Users\Application Data\tapmlkli.dll
    C:\WINDOWS\clqvcvcj.exe
    C:\WINDOWS\2.exe
    C:\WINDOWS\system\Update.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 28 March 2008 - 12:39 AM

I followed your instructions and recieved the following errors:
Bad Image
The application or DLL C:\WINDOWS\msa64chk.dll is not a valid Windows image.
Please Check this against your installation diskette.

Bad Image
The application or DLL C:\WINDOWS\system32\SIPSPI32.dll is not a valid Windows image.
Please Check this against your installation diskette.

Bad Image
The application or DLL C:\WINDOWS\system32\MSNA32.dll is not a valid Windows image.
Please Check this against your installation diskette.

Bad Image
The application or DLL C:\WINDOWS\system32\msapasrc.dll is not a valid Windows image.
Please Check this against your installation diskette.

after I clicked OK for the fourth error the program froze.

I tried to run it again after closing the program but
it froze again on the Moving file C:\WINDOWS\nwhujehe.dll step.

thanks

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 28 March 2008 - 06:24 AM

Can you check to see if it created a log? It should be here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 28 March 2008 - 08:12 AM

no log
just three folders in that location
and the only log in the folders is
X_Bat.log

thanks

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 29 March 2008 - 06:25 AM

Let's do it manually then.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Locate these files and delete them.

C:\WINDOWS\system32\tmp4_239911509875.bk
C:\WINDOWS\system32\tmp3_568143380774.bk
C:\WINDOWS\system32\tmp1_868532810858.bk
C:\WINDOWS\system32\tmp0_18975577205.bk
C:\WINDOWS\system32\tmp4_258519349818.bk
C:\WINDOWS\system32\tmp3_793961360992.bk
C:\WINDOWS\system32\tmp1_543491677370.bk
C:\WINDOWS\system32\tmp0_388164871291.bk
C:\WINDOWS\system32\tmp4_263044261275.bk
C:\WINDOWS\system32\tmp3_422459565909.bk
C:\WINDOWS\system32\tmp1_19501197492.bk
C:\WINDOWS\system32\tmp0_151568504564.bk
C:\WINDOWS\system32\tmp4_516811173816.bk
C:\WINDOWS\system32\tmp3_825464734503.bk
C:\WINDOWS\system32\tmp1_750920219694.bk
C:\WINDOWS\system32\tmp0_565572773559.bk
C:\WINDOWS\system32\tmp4_598583517610.bk
C:\WINDOWS\system32\tmp1_201065333339.bk
C:\WINDOWS\system32\tmp0_710224585159.bk
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\123messenger.per
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\system32\tmp0_827624399537.bk
C:\WINDOWS\jkWiMDVyxA.exe
C:\WINDOWS\nwhujehe.dll
C:\Documents and Settings\All Users\Application Data\tapmlkli.dll
C:\WINDOWS\clqvcvcj.exe
C:\WINDOWS\2.exe
C:\WINDOWS\system\Update.exe



Locate these folders and delete them.

C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
C:\Program Files\stc
C:\Program Files\Sysmnt
C:\Program Files\Bat



Don't be concerned if there are some that you can't find. It's possible that they may have been removed already.
Reboot back into normal mode and then run Combofix again and post that log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 29 March 2008 - 09:00 AM

ComboFix 08-03-25.4 - victor 2008-03-29 9:48:30.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.729 [GMT -4:00]
Running from: C:\Documents and Settings\victor\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\victor\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-27 19:43 . 2008-03-27 19:43 <DIR> d-------- C:\_OTMoveIt
2008-03-25 21:46 . 2008-03-25 21:53 <DIR> d-------- C:\Documents and Settings\victor\.housecall6.6
2008-03-25 21:22 . 2008-03-25 21:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 22:47 . 2008-03-24 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 21:23 . 2008-03-24 22:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\victor\Application Data\SUPERAntiSpyware.com
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-23 23:12 . 2008-03-23 23:12 <DIR> d-------- C:\Documents and Settings\grisha\Application Data\Grisoft
2008-03-23 21:00 . 2008-03-24 19:34 2,848 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\victor\Application Data\Grisoft
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 20:51 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-23 20:30 . 2008-03-23 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-23 19:26 . 2008-03-28 01:20 <DIR> d-------- C:\Program Files\Bat
2008-03-23 19:26 . 2008-03-29 09:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 19:26 . 2008-03-23 19:26 0 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-03-22 10:06 . 2008-03-22 10:06 <DIR> d-------- C:\unetbootin
2008-03-06 23:09 . 2008-03-27 07:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 23:09 . 2008-03-06 23:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 22:38 . 2008-03-01 22:38 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 22:38 . 2008-03-01 22:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 13:26 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-29 13:15 --------- d-----w C:\Documents and Settings\victor\Application Data\DMCache
2008-03-28 15:06 --------- d-----w C:\Documents and Settings\victor\Application Data\Vso
2008-03-27 22:25 --------- d-----w C:\Program Files\TVAnts
2008-03-27 22:25 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-25 02:47 --------- d-----w C:\Program Files\Lavasoft
2008-03-25 02:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 21:30 --------- d-----w C:\Documents and Settings\victor\Application Data\BitTorrent
2008-03-23 20:48 --------- d-----w C:\Program Files\BitTorrent
2008-03-13 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-05 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-05 14:28 --------- d-----w C:\Documents and Settings\victor\Application Data\Canon
2008-03-05 14:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 14:27 --------- d-----w C:\Program Files\TrackMania United
2008-03-05 14:27 --------- d-----w C:\Program Files\GameShadow
2008-03-05 14:27 --------- d-----w C:\Program Files\eXtreme Movie Manager
2008-02-18 22:24 --------- d-----w C:\Documents and Settings\victor\Application Data\Intuit
2008-02-16 14:19 --------- d-----w C:\Program Files\Emerald Editor Community
2008-02-02 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-01-31 00:27 --------- d-----w C:\Documents and Settings\grisha\Application Data\CyberLink
2008-01-30 01:20 --------- d-----w C:\Documents and Settings\grisha\Application Data\BitTorrent
2008-01-04 23:32 47,360 ----a-w C:\Documents and Settings\victor\Application Data\pcouffin.sys
2008-01-04 23:30 87,608 ----a-w C:\Documents and Settings\victor\Application Data\ezpinst.exe
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-01-19 11:38 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2beacc78-1dd2-11b2-a54a-904608489bac}]
C:\WINDOWS\nwhujehe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
C:\Program Files\Bat\Bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Download Master"="C:\Program Files\Download Master\dmaster.exe" [ ]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]
"AtiTrayTools"="C:\Program Files\ATI Tray Tools\atitray.exe" [2007-05-22 05:04 521128]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-04-07 08:49 892672]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"Windows Updates"="c:\windows\system\Update.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"Windows Updates"="c:\windows\system\Update.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
"1041:TCP"= 1041:TCP:DC++
"1041:UDP"= 1041:UDP:DC++
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-08-23 12:10]
S1 atitray;atitray;C:\Program Files\ATI Tray Tools\atitray.sys [2007-05-22 05:04]
S2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2005-11-03 10:52]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2005-11-03 10:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d1b8f95-6d36-11db-a699-000129d2927b}]
\Shell\AutoRun\command - J:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 13:30:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 09:49:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Windows Updates"="c:\\windows\\system\\Update.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"="c:\\windows\\system\\Update.exe"
.
Completion time: 2008-03-29 9:49:58
ComboFix-quarantined-files.txt 2008-03-29 13:49:45
ComboFix2.txt 2008-03-26 12:05:57
.
2008-03-28 07:31:26 --- E O F ---

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:03 AM

Posted 29 March 2008 - 03:33 PM

It looks like you got most of them. Let's try combofix again with one difference that should help.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

KillAll::

Folder::
C:\Program Files\Bat
C:\Documents and Settings\All Users\Application Data\Rabio

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2beacc78-1dd2-11b2-a54a-904608489bac}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updates"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 polyav

polyav
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 30 March 2008 - 09:46 AM

ComboFix 08-03-25.4 - victor 2008-03-30 10:19:54.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.803 [GMT -4:00]
Running from: C:\Documents and Settings\victor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\victor\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Bat

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-27 19:43 . 2008-03-27 19:43 <DIR> d-------- C:\_OTMoveIt
2008-03-25 21:46 . 2008-03-25 21:53 <DIR> d-------- C:\Documents and Settings\victor\.housecall6.6
2008-03-25 21:22 . 2008-03-25 21:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 22:47 . 2008-03-24 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 21:23 . 2008-03-24 22:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\victor\Application Data\SUPERAntiSpyware.com
2008-03-24 21:23 . 2008-03-24 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-23 23:12 . 2008-03-23 23:12 <DIR> d-------- C:\Documents and Settings\grisha\Application Data\Grisoft
2008-03-23 21:00 . 2008-03-24 19:34 2,848 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\victor\Application Data\Grisoft
2008-03-23 20:51 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 20:51 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-23 19:26 . 2008-03-29 09:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 19:26 . 2008-03-23 19:26 0 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-03-22 10:06 . 2008-03-22 10:06 <DIR> d-------- C:\unetbootin
2008-03-06 23:09 . 2008-03-27 07:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 23:09 . 2008-03-06 23:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 22:38 . 2008-03-01 22:38 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 22:38 . 2008-03-01 22:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-16 10:21 . 2008-02-16 14:34 165 --a------ C:\WINDOWS\cedt.INI
2008-02-16 10:19 . 2008-02-16 10:19 <DIR> d-------- C:\Program Files\Emerald Editor Community
2008-02-12 19:33 . 2004-08-04 03:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2008-02-12 19:33 . 2004-08-04 03:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2008-02-12 19:33 . 2001-08-17 15:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2008-02-12 19:33 . 2001-08-17 15:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2008-02-06 22:27 . 2005-06-15 04:00 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-02-06 22:04 . 2008-03-05 10:27 <DIR> d-------- C:\Program Files\eXtreme Movie Manager
2008-02-06 22:04 . 2000-05-22 00:00 1,009,336 --a------ C:\WINDOWS\system32\Mschrt20.ocx
2008-02-01 23:00 . 2008-02-01 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-02-01 22:18 . 2008-03-05 10:27 <DIR> d-------- C:\Program Files\GameShadow

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 14:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-30 14:08 --------- d-----w C:\Documents and Settings\victor\Application Data\DMCache
2008-03-28 15:06 --------- d-----w C:\Documents and Settings\victor\Application Data\Vso
2008-03-27 22:25 --------- d-----w C:\Program Files\TVAnts
2008-03-27 22:25 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-25 02:47 --------- d-----w C:\Program Files\Lavasoft
2008-03-25 02:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 21:30 --------- d-----w C:\Documents and Settings\victor\Application Data\BitTorrent
2008-03-23 20:48 --------- d-----w C:\Program Files\BitTorrent
2008-03-13 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-05 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-05 14:28 --------- d-----w C:\Documents and Settings\victor\Application Data\Canon
2008-03-05 14:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 14:27 --------- d-----w C:\Program Files\TrackMania United
2008-02-18 22:24 --------- d-----w C:\Documents and Settings\victor\Application Data\Intuit
2008-01-31 00:27 --------- d-----w C:\Documents and Settings\grisha\Application Data\CyberLink
2008-01-30 01:20 --------- d-----w C:\Documents and Settings\grisha\Application Data\BitTorrent
2008-01-04 23:32 47,360 ----a-w C:\Documents and Settings\victor\Application Data\pcouffin.sys
2008-01-04 23:30 87,608 ----a-w C:\Documents and Settings\victor\Application Data\ezpinst.exe
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-01-19 11:38 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Download Master"="C:\Program Files\Download Master\dmaster.exe" [ ]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]
"AtiTrayTools"="C:\Program Files\ATI Tray Tools\atitray.exe" [2007-05-22 05:04 521128]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-04-07 08:49 892672]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"Windows Updates"="c:\windows\system\Update.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"Windows Updates"="c:\windows\system\Update.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
"1041:TCP"= 1041:TCP:DC++
"1041:UDP"= 1041:UDP:DC++
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users