Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Millions Of Popups


  • This topic is locked This topic is locked
14 replies to this topic

#1 GrandstandInc

GrandstandInc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 April 2008 - 11:10 AM

I have lots of popups that keep... well poping up. I have ran spybot, ad aware, F-Secure, and McAfee all find somthing and say they remove it, but still popups. The big issue; other than when I am with a client and "Horny Matches" pops up, is most of the popups do not load completely and bring my computer to an almost complete stop. Here is my computers Hijack This log. Can someone please help!

Thank you in advance.

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - z2 Software - C:\Program Files\z2 Remote2PC\R2PCServ.exe

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 03 April 2008 - 11:42 AM

Hello GrandstandInc,

Welcome to Bleeping Computer :blink:

Could you please post a complete HijackThis log? The top is just as important as the rest of it. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 GrandstandInc

GrandstandInc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 April 2008 - 12:10 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:40 AM, on 4/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - z2 Software - C:\Program Files\z2 Remote2PC\R2PCServ.exe

--
End of file - 6892 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 03 April 2008 - 12:24 PM

Hi there,

Thank you. :thumbsup: As with everything Vista, be sure you run this tool as Administrator :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 GrandstandInc

GrandstandInc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 April 2008 - 01:17 PM

Here we go thanks

ComboFix 08-04-03.3 - Design II 2008-04-03 10:58:23.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1188 [GMT -7:00]
Running from: C:\Users\Design II\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 18:05 --------- d-----w C:\Program Files\z2 Remote2PC
2008-04-03 07:00 --------- d-----w C:\ProgramData\SiteAdvisor
2008-04-02 18:31 --------- d-----w C:\Program Files\McAfee
2008-04-02 17:52 --------- d-----w C:\Users\Design II\AppData\Roaming\SiteAdvisor
2008-04-02 14:05 --------- d-----w C:\ProgramData\McAfee
2008-04-02 14:05 --------- d-----w C:\Program Files\SiteAdvisor
2008-04-02 14:04 --------- d-----w C:\Program Files\Common Files\McAfee
2008-04-02 14:03 --------- d-----w C:\Program Files\McAfee.com
2008-04-02 14:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-02 14:01 --------- d-----w C:\Program Files\F-Secure Internet Security
2008-04-02 13:57 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-02 13:55 --------- d-----w C:\ProgramData\F-Secure
2008-04-02 04:33 --------- d-----w C:\Program Files\Helio Player
2008-04-01 16:01 --------- d-----w C:\ProgramData\fssg
2008-04-01 05:44 --------- d-----w C:\Users\Design II\AppData\Roaming\F-Secure
2008-03-31 23:25 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-03-31 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 15:51 --------- d-----w C:\ProgramData\SecTaskMan
2008-03-31 15:40 --------- d-----w C:\Program Files\Security Task Manager
2008-03-31 14:09 --------- d-----w C:\Users\Design II\AppData\Roaming\dvdcss
2008-03-30 17:08 --------- d-----w C:\ProgramData\ATI
2008-03-30 17:08 --------- d-----w C:\Program Files\ATI
2008-03-30 17:05 --------- d-----w C:\Program Files\ATI Technologies
2008-03-30 16:52 --------- d-----w C:\Program Files\Xilisoft
2008-03-29 06:19 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-03-29 00:16 691 ----a-w C:\Users\Design II\AppData\Roaming\GetValue.vbs
2008-03-29 00:16 35 ----a-w C:\Users\Design II\AppData\Roaming\SetValue.bat
2008-03-28 20:44 --------- d-----w C:\Program Files\Trillian
2008-03-27 15:10 --------- d-----w C:\Users\Design II\AppData\Roaming\Uniblue
2008-03-27 15:10 --------- d-----w C:\Program Files\Uniblue
2008-03-27 03:39 --------- d-----w C:\Users\Design II\AppData\Roaming\U3
2008-03-26 15:50 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-03-26 04:32 --------- d-----w C:\ProgramData\Lavasoft
2008-03-26 04:31 --------- d-----w C:\Program Files\Lavasoft
2008-03-26 04:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 03:59 --------- d-----w C:\Users\Design II\AppData\Roaming\System Tweaker
2008-03-26 01:16 --------- d-----w C:\Program Files\Real
2008-03-26 01:16 --------- d-----w C:\Program Files\Common Files\Real
2008-03-26 01:15 --------- d-----w C:\Users\Design II\AppData\Roaming\Move Networks
2008-03-26 01:14 --------- d-----w C:\Program Files\FontLab
2008-03-26 01:14 --------- d-----w C:\Program Files\Common Files\FontLab
2008-03-25 22:35 --------- d-----w C:\ProgramData\Uniblue
2008-03-25 22:07 --------- d-----w C:\Users\Design II\AppData\Roaming\Download Manager
2008-03-25 22:07 --------- d-----w C:\Program Files\LimeWire
2008-03-25 17:20 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-25 17:13 86,016 ----a-w C:\Windows\system32\drivers\AGP4400.sys
2008-03-25 17:13 167,545 ----a-w C:\Windows\system32\drivers\core.cache.dsk
2008-03-25 17:13 --------- d---a-w C:\ProgramData\TEMP
2008-03-24 16:36 --------- d-----w C:\Users\Design II\AppData\Roaming\Apple Computer
2008-03-24 00:18 --------- d-----w C:\Program Files\Safari
2008-03-20 22:58 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-15 03:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 15:11 --------- d-----w C:\Program Files\Windows Mail
2008-02-26 05:53 3,520,512 ----a-w C:\Windows\system32\drivers\atikmdag.sys
2008-02-26 03:10 372,736 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-02-26 03:10 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-02-26 03:09 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-02-26 03:09 315,392 ----a-w C:\Windows\System32\atipdlxx.dll
2008-02-26 03:09 253,952 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-02-26 03:09 245,760 ----a-w C:\Windows\System32\Oemdspif.dll
2008-02-26 03:08 655,360 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-02-26 02:55 3,074,048 ----a-w C:\Windows\System32\atiumdag.dll
2008-02-26 02:47 9,662,464 ----a-w C:\Windows\System32\atioglxx.dll
2008-02-26 02:40 4,084,736 ----a-w C:\Windows\System32\atiumdva.dll
2008-02-26 02:29 47,104 ----a-w C:\Windows\System32\amdpcom32.dll
2008-02-26 02:14 49,152 ----a-w C:\Windows\system32\drivers\ati2erec.dll
2008-02-24 22:56 --------- d-----w C:\Program Files\iTunes
2008-02-24 22:55 --------- d-----w C:\ProgramData\Apple Computer
2008-02-24 22:55 --------- d-----w C:\Program Files\iPod
2008-02-24 22:54 --------- d-----w C:\Program Files\QuickTime
2008-02-13 14:46 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 14:46 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 14:43 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 14:43 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 14:43 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 14:42 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 14:42 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 14:42 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 14:42 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 14:42 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 14:42 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 14:42 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 14:42 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 14:42 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 14:42 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 14:42 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-13 14:40 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 14:40 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 14:40 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 14:40 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-09 01:07 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-08-29 16:21 174 --sha-w C:\Program Files\desktop.ini
2007-10-15 15:36 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-15 15:36 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-15 15:36 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-07 22:16 303104 C:\Windows\sttray.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 14:57 36640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{453A088B-6677-41BF-8C22-8B0B3C39A038}"= UDP:990:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{F72F0229-66B6-41C0-8AB9-A36F4FE8CBD3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{475CE7C5-4C57-472C-8B50-41B8647F8A70}"= UDP:C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:Adobe Version Cue CS2
"{2D762D7A-4211-43A1-8FC8-F0A80A33C096}"= TCP:C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:Adobe Version Cue CS2
"{C8E0D961-53F5-4FAC-A847-B614D3D6D0CA}"= UDP:5721:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{BB55E0C3-2C2E-43F1-BEC7-7D730627043D}"= UDP:1034:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{54122A47-45D2-431A-BDFA-CC739414412A}"= UDP:5678:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{1FDF7260-DD67-441A-9612-6E38886231C6}"= UDP:999:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CCA51F4E-C2C1-4C8D-B30A-EC64470EB519}"= UDP:26675:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{1AF5737C-986A-4A4C-9B38-456BBC205065}"= UDP:990:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{5A63ECA1-1868-429C-9051-1EE9E9C98BDE}"= UDP:5721:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{417FF1CD-A989-47A5-A409-CAD8F4F599E6}"= UDP:1034:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{F5FD2A0C-0D3B-4962-9CF5-451C61350E84}"= UDP:5678:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{8EDFA0DA-619E-423A-9015-7AF2BFB6B883}"= UDP:999:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{5153685D-B512-4C9D-B3BD-1AD2A0E55DD3}"= UDP:26675:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{DA83D3F7-11E4-4FEA-A47B-A4FCA6D2FBC2}"= UDP:990:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"TCP Query User{29CDE530-609C-478F-907A-DF1432BA87A7}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{0546C34A-CCF8-4497-B473-BFAFE70CF3F8}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C5907A17-D351-40FB-A45E-59DD0C47F23B}C:\\program files\\macromedia\\dreamweaver mx\\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver mx\dreamweaver.exe:Dreamweaver MX
"UDP Query User{A74D5868-E700-4BE3-B63D-CD5F24801AAC}C:\\program files\\macromedia\\dreamweaver mx\\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver mx\dreamweaver.exe:Dreamweaver MX
"TCP Query User{974DB2BA-CCA4-4899-84C2-D4322CC1CEE4}C:\\program files\\macromedia\\fireworks mx\\fireworks.exe"= UDP:C:\program files\macromedia\fireworks mx\fireworks.exe:Fireworks MX
"UDP Query User{5EBAD948-CDFF-46D9-A366-2AA741049A56}C:\\program files\\macromedia\\fireworks mx\\fireworks.exe"= TCP:C:\program files\macromedia\fireworks mx\fireworks.exe:Fireworks MX
"{7EF6E189-23DC-43CA-8E88-174B9CEEC38F}"= UDP:C:\Program Files\z2 Remote2PC\R2PCCln.exe:z2 Remote2PC Client
"{2BD70B5D-F7B6-4052-91C1-74CA76A7D529}"= TCP:C:\Program Files\z2 Remote2PC\R2PCCln.exe:z2 Remote2PC Client
"{BD6AEF1A-3190-4B1F-95C4-BCE04BB34168}"= UDP:C:\Program Files\z2 Remote2PC\R2PCServ.exe:z2 Remote2PC Server
"{B54936AA-A7A6-4187-98DF-0824B43E06E9}"= TCP:C:\Program Files\z2 Remote2PC\R2PCServ.exe:z2 Remote2PC Server
"TCP Query User{06F24B4B-68FA-4775-953F-3A001DA2FA16}C:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"UDP Query User{AC483BFA-6770-4DF0-8BC5-7292193F0B0A}C:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"{CCFB6359-DE6F-4D93-AC15-FA7E54831AF2}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{FCE00F20-CA91-4E1F-BF77-A5AD54937FE0}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{AA490E08-CE16-4583-9420-2246F0A5A4BA}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{FC80711C-AC68-4E62-951F-51D3F7B952F1}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{E3D894DE-19F2-46F3-B3F8-C06499047ED3}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{05AA82D4-AA82-48E7-BF93-7A5F6F709BC0}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1E800B68-018A-42F0-A5A7-18642E06F7C3}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\Windows\system32\Drivers\athwpn.sys [2004-10-14 03:24]
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\cur_bus.sys [2005-07-19 18:39]
S3 cur_mdfl;Curitel Packet Service Filter;C:\Windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 18:40]
S3 cur_mdm;Curitel Packet Service Drivers;C:\Windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 18:40]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\Windows\system32\DRIVERS\cur_serd.sys [2005-07-19 18:42]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111.sys [2005-01-07 10:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36dc7548-614f-11dc-b58e-00188b8a5d98}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{434176c7-d41f-11db-9b26-806e6f6e6963}]
\shell\AutoRun\command - E:\install.EXE id= ver=1.0.0.0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0bda4c9-e3aa-11dc-85b0-00188b8a5d98}]
\shell\AutoRun\command - F:\ff1q0gw.bat
\shell\explore\Command - F:\ff1q0gw.bat
\shell\open\Command - F:\ff1q0gw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0bda4ce-e3aa-11dc-85b0-00188b8a5d98}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 17:56:11 C:\Windows\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-02 17:56:11 C:\Windows\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-26 00:09:29 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-25 21:48:55 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-26 00:09:29 C:\Windows\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-03-25 23:51:32 C:\Windows\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-04-03 18:10:17 C:\Windows\Tasks\User_Feed_Synchronization-{CDCE7F36-FC26-4445-A60D-7FB8D57716CD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 11:06:40
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6172\saHook.dll
-> C:\Windows\system32\DLAAPI_W.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\z2 Remote2PC\R2PCServ.exe
C:\Program Files\z2 Remote2PC\R2PCServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\z2 Remote2PC\R2PCSH.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\WUDFHost.exe
.
**************************************************************************
.
Completion time: 2008-04-03 11:13:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 18:13:11
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-02 03:34:10 --- E O F ---

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 03 April 2008 - 04:30 PM

Hello,

Sorry for the hold up, but you have a new file we need uploaded so it can be added to our tools.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Windows\system32\drivers\AGP4400.sys

Select it and click ok.
Then click the Send File button below.

Let me know in your next reply once you've submitted the file.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 GrandstandInc

GrandstandInc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 April 2008 - 04:45 PM

I think I uploaded it. I could not use the dialog box do to the fact it gave me a "file in use error." So I typed in the full path, and I think that worked ???

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 03 April 2008 - 11:36 PM

I've asked to be sure. I'll let you know as soon as I can so we can get that nasty stuff out of there. :thumbsup:

Thanks for your patience. You're doing a whole lot of people a whole lot of good here. :blink:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 GrandstandInc

GrandstandInc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 April 2008 - 10:13 AM

Sounds good. Thank you for all your help.

You can count me in for a donation, you have been more than helpful.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 04 April 2008 - 10:13 AM

Hello there,

It didn't work, so we'll do it this way :

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/ind...=139794&hl=

Collect::
C:\Windows\system32\drivers\AGP4400.sys


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 GrandstandInc

GrandstandInc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 April 2008 - 01:05 PM

ComboFix 08-04-03.5 - Design II 2008-04-04 10:10:41.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1315 [GMT -7:00]
Running from: C:\Users\Design II\Desktop\ComboFix.exe
Command switches used :: C:\Users\Design II\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\Windows\system32\drivers\AGP4400.sys
C:\Windows\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 17:16 --------- d-----w C:\Program Files\z2 Remote2PC
2008-04-04 16:39 --------- d-----w C:\ProgramData\McAfee
2008-04-04 16:37 --------- d-----w C:\ProgramData\SiteAdvisor
2008-04-04 16:12 --------- d-----w C:\ProgramData\HP
2008-04-03 21:00 --------- d-----w C:\ProgramData\WEBREG
2008-04-03 20:18 --------- d-----w C:\Users\Design II\AppData\Roaming\HP
2008-04-03 20:17 --------- d-----w C:\ProgramData\HPSSUPPLY
2008-04-03 20:17 --------- d-----w C:\Program Files\HP
2008-04-03 20:17 --------- d-----w C:\Program Files\Common Files\HP
2008-04-02 14:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-02 14:01 --------- d-----w C:\Program Files\F-Secure Internet Security
2008-04-02 13:57 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-02 13:55 --------- d-----w C:\ProgramData\F-Secure
2008-04-02 04:33 --------- d-----w C:\Program Files\Helio Player
2008-04-01 16:01 --------- d-----w C:\ProgramData\fssg
2008-04-01 05:44 --------- d-----w C:\Users\Design II\AppData\Roaming\F-Secure
2008-03-31 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 15:51 --------- d-----w C:\ProgramData\SecTaskMan
2008-03-31 15:40 --------- d-----w C:\Program Files\Security Task Manager
2008-03-31 14:09 --------- d-----w C:\Users\Design II\AppData\Roaming\dvdcss
2008-03-30 17:08 --------- d-----w C:\ProgramData\ATI
2008-03-30 17:08 --------- d-----w C:\Program Files\ATI
2008-03-30 17:05 --------- d-----w C:\Program Files\ATI Technologies
2008-03-30 16:52 --------- d-----w C:\Program Files\Xilisoft
2008-03-29 00:16 691 ----a-w C:\Users\Design II\AppData\Roaming\GetValue.vbs
2008-03-29 00:16 35 ----a-w C:\Users\Design II\AppData\Roaming\SetValue.bat
2008-03-28 20:44 --------- d-----w C:\Program Files\Trillian
2008-03-27 15:10 --------- d-----w C:\Users\Design II\AppData\Roaming\Uniblue
2008-03-27 15:10 --------- d-----w C:\Program Files\Uniblue
2008-03-27 03:39 --------- d-----w C:\Users\Design II\AppData\Roaming\U3
2008-03-26 04:32 --------- d-----w C:\ProgramData\Lavasoft
2008-03-26 04:31 --------- d-----w C:\Program Files\Lavasoft
2008-03-26 04:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 03:59 --------- d-----w C:\Users\Design II\AppData\Roaming\System Tweaker
2008-03-26 01:16 --------- d-----w C:\Program Files\Real
2008-03-26 01:16 --------- d-----w C:\Program Files\Common Files\Real
2008-03-26 01:15 --------- d-----w C:\Users\Design II\AppData\Roaming\Move Networks
2008-03-26 01:14 --------- d-----w C:\Program Files\FontLab
2008-03-26 01:14 --------- d-----w C:\Program Files\Common Files\FontLab
2008-03-25 22:35 --------- d-----w C:\ProgramData\Uniblue
2008-03-25 22:07 --------- d-----w C:\Users\Design II\AppData\Roaming\Download Manager
2008-03-25 22:07 --------- d-----w C:\Program Files\LimeWire
2008-03-25 17:20 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-25 17:13 --------- d---a-w C:\ProgramData\TEMP
2008-03-24 16:36 --------- d-----w C:\Users\Design II\AppData\Roaming\Apple Computer
2008-03-24 00:18 --------- d-----w C:\Program Files\Safari
2008-03-20 22:58 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-15 03:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 15:11 --------- d-----w C:\Program Files\Windows Mail
2008-02-26 05:53 3,520,512 ----a-w C:\Windows\system32\drivers\atikmdag.sys
2008-02-26 02:14 49,152 ----a-w C:\Windows\system32\drivers\ati2erec.dll
2008-02-24 22:56 --------- d-----w C:\Program Files\iTunes
2008-02-24 22:55 --------- d-----w C:\ProgramData\Apple Computer
2008-02-24 22:55 --------- d-----w C:\Program Files\iPod
2008-02-24 22:54 --------- d-----w C:\Program Files\QuickTime
2008-02-13 14:46 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 14:45 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 14:45 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 14:45 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 14:45 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 14:45 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 14:45 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 14:45 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 14:45 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-13 14:43 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 14:42 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 14:42 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 14:42 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 14:42 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 14:42 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 14:42 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 14:40 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-08-29 16:21 174 --sha-w C:\Program Files\desktop.ini
2007-10-15 15:36 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-15 15:36 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-15 15:36 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-03_11.12.15.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-03 18:05:38 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-04 17:16:29 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-03 21:00:40 129,929 ----a-w C:\Windows\hppins21.dat
+ 2007-03-13 11:05:14 3,729 ----a-w C:\Windows\hppmdl21.dat
- 2008-04-03 15:51:39 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-04-03 19:18:20 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-04-03 15:51:28 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-04-03 19:18:20 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-04-03 15:51:39 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-03 19:18:20 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-03 20:15:22 65,536 ----a-r C:\Windows\Installer\{8C6027FD-53DC-446D-BB75-CACD7028A134}\ARPPRODUCTICON.exe
+ 2008-04-03 20:15:22 681,528 ----a-r C:\Windows\Installer\{8C6027FD-53DC-446D-BB75-CACD7028A134}\HPSUShortcut_BB85ED9CAFC943BDB8DC258C3C7DF72E.exe
+ 2008-04-03 20:17:32 25,214 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\ARPPRODUCTICON.exe
+ 2008-04-03 20:17:33 65,536 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\NewShortcut1_33E9E60A87F847448812192D138D3F40.exe
+ 2008-04-03 20:17:33 65,536 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\NewShortcut1_EB21A812671B4D08B9742A347F0D8F70.exe
+ 2008-04-03 20:17:33 65,536 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\NewShortcut11_EB21A812671B4D08B9742A347F0D8F70.exe
+ 2008-04-03 20:17:32 65,536 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\NewShortcut2_33E9E60A87F847448812192D138D3F40.exe
+ 2008-04-03 20:17:33 65,536 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\NewShortcut4_EB21A812671B4D08B9742A347F0D8F70.exe
+ 2008-04-03 20:17:32 65,536 ----a-r C:\Windows\Installer\{EB21A812-671B-4D08-B974-2A347F0D8F70}\UninstallHPGGShortcu_EB21A812671B4D08B9742A347F0D8F70.exe
+ 2008-04-03 20:17:44 25,214 ----a-r C:\Windows\Installer\{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}\ARPPRODUCTICON.exe
+ 2008-04-03 20:17:44 25,214 ----a-r C:\Windows\Installer\{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}\hpqSSupply.exe
+ 2008-04-03 20:14:30 65,536 ----a-r C:\Windows\Installer\{FF075778-6E50-47ed-991D-3B07FD4E3250}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2008-04-03 17:08:41 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-04 16:54:49 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-04-03 18:06:15 1,048,576 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-04-04 17:16:59 1,048,576 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-04-03 17:55:57 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-04 17:09:38 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-04-03 18:06:14 1,048,576 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-04-04 17:16:59 1,048,576 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-04-03 15:55:56 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-04 17:06:53 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-03 15:55:56 131,072 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-04 17:06:53 163,840 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-03 15:55:56 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-04 17:06:53 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-03 17:56:55 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-04 17:10:16 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2006-11-20 14:01:35 258,048 ------w C:\Windows\System32\DriverStore\FileRepository\hppunp03.inf_d898336d\hpzids01.dll
+ 2007-03-13 09:25:24 1,645,320 ----a-w C:\Windows\System32\gdiplus.dll
+ 2004-05-27 22:00:52 118,784 ----a-r C:\Windows\System32\HPODXPAT.DLL
+ 2006-11-02 09:46:05 30,208 ----a-w C:\Windows\System32\HPZ3LLHN.DLL
- 2006-10-17 05:00:58 49,152 ----a-w C:\Windows\System32\HPZIDR12.DLL
+ 2006-11-08 23:35:38 49,152 ----a-w C:\Windows\System32\HPZidr12.dll
- 2006-10-17 05:01:10 43,520 ----a-w C:\Windows\System32\HPZINW12.DLL
+ 2006-11-08 23:35:36 43,520 ----a-w C:\Windows\System32\HPZinw12.dll
- 2006-10-17 05:01:12 53,248 ----a-w C:\Windows\System32\HPZIPM12.DLL
+ 2006-11-08 23:35:38 53,248 ----a-w C:\Windows\System32\HPZipm12.dll
- 2006-10-17 05:00:54 33,280 ----a-w C:\Windows\System32\HPZIPR12.DLL
+ 2006-11-08 23:35:40 33,280 ----a-w C:\Windows\System32\HPZipr12.dll
- 2006-10-17 05:00:56 29,696 ----a-w C:\Windows\System32\HPZIPT12.DLL
+ 2006-11-08 23:35:40 29,696 ----a-w C:\Windows\System32\hpzipt12.dll
- 2006-10-17 05:00:58 20,480 ----a-w C:\Windows\System32\HPZISN12.DLL
+ 2006-11-08 23:35:40 20,480 ----a-w C:\Windows\System32\hpzisn12.dll
- 2008-04-03 15:59:18 123,058 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-04 16:45:49 123,058 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-03 15:59:19 669,656 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-04 16:45:49 669,656 ----a-w C:\Windows\System32\perfh009.dat
- 2008-03-30 17:07:33 6,029,312 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-04-03 20:13:06 6,029,312 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2007-02-02 22:38:42 24,576 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBMIAPI.DLL
+ 2006-11-02 09:46:11 28,160 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBMIAPI.DLL
- 2007-03-27 00:35:00 241,721 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBMINI.DLL
+ 2006-11-02 09:46:05 8,192 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBMINI.DLL
- 2007-02-02 22:38:46 25,600 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBOID.DLL
+ 2006-11-02 09:46:11 29,184 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBOID.DLL
- 2007-02-02 22:38:48 7,680 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBOIDPS.DLL
+ 2006-11-02 09:46:05 11,776 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBOIDPS.DLL
- 2007-02-02 22:38:46 39,424 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBPRO.DLL
+ 2006-11-02 09:46:11 39,936 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBPRO.DLL
- 2007-02-02 22:38:44 7,680 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBPROPS.DLL
+ 2006-11-02 09:46:05 11,776 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPBPROPS.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
- 2008-04-03 15:55:31 11,494 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3620236486-3340466712-1281629707-1000_UserData.bin
+ 2008-04-04 16:41:52 12,068 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3620236486-3340466712-1281629707-1000_UserData.bin
- 2008-04-03 15:55:31 61,328 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-04 16:41:52 61,612 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-03 15:55:29 48,788 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-04 16:41:48 50,384 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-03-30 17:00:34 106,648 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-04-03 20:13:37 161,038 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-04-03 20:13:35 96,256 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63\ATL80.dll
+ 2008-04-03 20:12:54 479,232 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f\msvcm80.dll
+ 2008-04-03 20:12:54 548,864 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f\msvcp80.dll
+ 2008-04-03 20:12:54 626,688 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f\msvcr80.dll
+ 2008-04-03 20:13:03 1,093,632 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514\mfc80.dll
+ 2008-04-03 20:13:03 1,079,808 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514\mfc80u.dll
+ 2008-04-03 20:13:03 69,632 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514\mfcm80.dll
+ 2008-04-03 20:13:03 57,344 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514\mfcm80u.dll
+ 2008-04-03 20:13:08 40,960 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80CHS.dll
+ 2008-04-03 20:13:08 45,056 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80CHT.dll
+ 2008-04-03 20:13:09 65,536 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80DEU.dll
+ 2008-04-03 20:13:09 57,344 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80ENU.dll
+ 2008-04-03 20:13:08 61,440 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80ESP.dll
+ 2008-04-03 20:13:09 61,440 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80FRA.dll
+ 2008-04-03 20:13:09 61,440 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80ITA.dll
+ 2008-04-03 20:13:09 49,152 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80JPN.dll
+ 2008-04-03 20:13:09 49,152 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:34 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-07 22:16 303104 C:\Windows\sttray.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{453A088B-6677-41BF-8C22-8B0B3C39A038}"= UDP:990:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{F72F0229-66B6-41C0-8AB9-A36F4FE8CBD3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{475CE7C5-4C57-472C-8B50-41B8647F8A70}"= UDP:C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:Adobe Version Cue CS2
"{2D762D7A-4211-43A1-8FC8-F0A80A33C096}"= TCP:C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:Adobe Version Cue CS2
"{C8E0D961-53F5-4FAC-A847-B614D3D6D0CA}"= UDP:5721:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{BB55E0C3-2C2E-43F1-BEC7-7D730627043D}"= UDP:1034:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{54122A47-45D2-431A-BDFA-CC739414412A}"= UDP:5678:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{1FDF7260-DD67-441A-9612-6E38886231C6}"= UDP:999:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CCA51F4E-C2C1-4C8D-B30A-EC64470EB519}"= UDP:26675:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{1AF5737C-986A-4A4C-9B38-456BBC205065}"= UDP:990:LocalSubnet:LocalSubnet|IF={DCDD3B97-8265-4021-AA3A-9661D6E3ACF9}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{5A63ECA1-1868-429C-9051-1EE9E9C98BDE}"= UDP:5721:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{417FF1CD-A989-47A5-A409-CAD8F4F599E6}"= UDP:1034:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{F5FD2A0C-0D3B-4962-9CF5-451C61350E84}"= UDP:5678:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{8EDFA0DA-619E-423A-9015-7AF2BFB6B883}"= UDP:999:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{5153685D-B512-4C9D-B3BD-1AD2A0E55DD3}"= UDP:26675:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{DA83D3F7-11E4-4FEA-A47B-A4FCA6D2FBC2}"= UDP:990:LocalSubnet:LocalSubnet|IF={01720478-D996-4859-87CB-3A3C0036F34E}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"TCP Query User{29CDE530-609C-478F-907A-DF1432BA87A7}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{0546C34A-CCF8-4497-B473-BFAFE70CF3F8}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C5907A17-D351-40FB-A45E-59DD0C47F23B}C:\\program files\\macromedia\\dreamweaver mx\\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver mx\dreamweaver.exe:Dreamweaver MX
"UDP Query User{A74D5868-E700-4BE3-B63D-CD5F24801AAC}C:\\program files\\macromedia\\dreamweaver mx\\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver mx\dreamweaver.exe:Dreamweaver MX
"TCP Query User{974DB2BA-CCA4-4899-84C2-D4322CC1CEE4}C:\\program files\\macromedia\\fireworks mx\\fireworks.exe"= UDP:C:\program files\macromedia\fireworks mx\fireworks.exe:Fireworks MX
"UDP Query User{5EBAD948-CDFF-46D9-A366-2AA741049A56}C:\\program files\\macromedia\\fireworks mx\\fireworks.exe"= TCP:C:\program files\macromedia\fireworks mx\fireworks.exe:Fireworks MX
"{7EF6E189-23DC-43CA-8E88-174B9CEEC38F}"= UDP:C:\Program Files\z2 Remote2PC\R2PCCln.exe:z2 Remote2PC Client
"{2BD70B5D-F7B6-4052-91C1-74CA76A7D529}"= TCP:C:\Program Files\z2 Remote2PC\R2PCCln.exe:z2 Remote2PC Client
"{BD6AEF1A-3190-4B1F-95C4-BCE04BB34168}"= UDP:C:\Program Files\z2 Remote2PC\R2PCServ.exe:z2 Remote2PC Server
"{B54936AA-A7A6-4187-98DF-0824B43E06E9}"= TCP:C:\Program Files\z2 Remote2PC\R2PCServ.exe:z2 Remote2PC Server
"TCP Query User{06F24B4B-68FA-4775-953F-3A001DA2FA16}C:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"UDP Query User{AC483BFA-6770-4DF0-8BC5-7292193F0B0A}C:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"{CCFB6359-DE6F-4D93-AC15-FA7E54831AF2}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{FCE00F20-CA91-4E1F-BF77-A5AD54937FE0}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{AA490E08-CE16-4583-9420-2246F0A5A4BA}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{FC80711C-AC68-4E62-951F-51D3F7B952F1}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{E3D894DE-19F2-46F3-B3F8-C06499047ED3}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{05AA82D4-AA82-48E7-BF93-7A5F6F709BC0}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A3C3F15E-1505-4DA2-AE94-902C29AFFC5E}"= Disabled:UDP:E:\setup\HPZnui01.exe:hpznui01.exe
"{B88BCF7A-CA8F-42CC-A1D9-5BD7412422D5}"= Disabled:TCP:E:\setup\HPZnui01.exe:hpznui01.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 02:45]
R2 z2 R2PC Server;z2 Remote2PC Server;"C:\Program Files\z2 Remote2PC\R2PCServ.exe" -service []
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\Windows\system32\Drivers\athwpn.sys [2004-10-14 03:24]
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\cur_bus.sys [2005-07-19 18:39]
S3 cur_mdfl;Curitel Packet Service Filter;C:\Windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 18:40]
S3 cur_mdm;Curitel Packet Service Drivers;C:\Windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 18:40]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\Windows\system32\DRIVERS\cur_serd.sys [2005-07-19 18:42]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\system32\DRIVERS\WPN111.sys [2005-01-07 10:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36dc7548-614f-11dc-b58e-00188b8a5d98}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{434176c7-d41f-11db-9b26-806e6f6e6963}]
\shell\AutoRun\command - E:\install.EXE id= ver=1.0.0.0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0bda4c9-e3aa-11dc-85b0-00188b8a5d98}]
\shell\AutoRun\command - F:\ff1q0gw.bat
\shell\explore\Command - F:\ff1q0gw.bat
\shell\open\Command - F:\ff1q0gw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0bda4ce-e3aa-11dc-85b0-00188b8a5d98}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 00:09:29 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-25 21:48:55 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-26 00:09:29 C:\Windows\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-03-25 23:51:32 C:\Windows\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-04-04 17:20:47 C:\Windows\Tasks\User_Feed_Synchronization-{CDCE7F36-FC26-4445-A60D-7FB8D57716CD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 10:17:10
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\z2 Remote2PC\R2PCSH.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2008-04-04 10:23:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 17:22:58
ComboFix2.txt 2008-04-03 18:13:25
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-04 02:59:05 --- E O F ---

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 04 April 2008 - 01:12 PM

Hello there,

I just saw that we posted at exactly the same time earlier. :blink: I thank you! :thumbsup:

Have the popups stopped? The problem before was that there is a driver protecting the main bad file so it couldn't be deleted. That new driver, thanks to you, has been removed, as well as the file that was causing you all the grief. :wacko:

Could you please post a new HijackThis log as well for me? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 GrandstandInc

GrandstandInc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 April 2008 - 01:57 PM

Looks like I'm Clean. Feels Great!

Thanks for all your help. The log file is below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:57 AM, on 4/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\sttray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - z2 Software - C:\Program Files\z2 Remote2PC\R2PCServ.exe

--
End of file - 5910 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 04 April 2008 - 02:16 PM

Hello,

Excellent. :blink: Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

The following are not malware, but fixing them with HijackThis will improve your system's speed. None are necessary at startup, and may be started manually at any time. This is up to you. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care! Posted Image
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:22 AM

Posted 16 April 2008 - 08:09 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users