Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Bn6.tmp And Smitware?


  • Please log in to reply
19 replies to this topic

#1 MicheleKP

MicheleKP

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 06 April 2008 - 06:53 PM

Hi All,

I am trying to help a friend out with is computer. His son is a teenage boy with a laptop that has become infected with who knows what! His desktop has changed to a blue background with a warning that "Spyware detected on you computer. Install an antivirus or spyware remover to clean your computer". There was a program, spools.exe, that was hijacking a lot of programs we tried to start. I deleted that and fixed the exefile registry value so I can open files - helped to get dss.exe running. Any and all help is appreciated!!! Here is a copy of what dss gave me:


-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-37
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 958.23 MiB / 468.41 MiB
Pagefile Memory (total/avail): 2311.69 MiB / 1913.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.93 MiB

C: is Fixed (NTFS) - 105.92 GiB total, 76.08 GiB free.
D: is Fixed (FAT32) - 5.85 GiB total, 4.07 GiB free.
E: is CDROM (No Media)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - HTS421212H9AT00 - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 105.92 GiB - C:
\PARTITION1 - Unknown - 5.86 GiB - D:

\\.\PHYSICALDRIVE1 - USB Flash Memory USB Device - 1929.68 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1931.95 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v14 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security 2006 v14.10.1023 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1189227370\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1189227370\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HUNTEREX1990
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\HUNTEREX1990
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=HUNTEREX1990
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\aolunins_us.exe
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Connectivity Services --> "C:\Program Files\Common Files\AOL\ACS\AcsUninstall.exe" /c
AOL Spyware Protection --> C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\INSTALL.LOG
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Broadcom 802.11 Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta0300a.INF
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Pure Networks Port Magic --> C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B\HXFSETUP.EXE -U -Iqta0300m.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
Trend Micro PC-cillin Internet Security 2006 --> MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}
TrojanHunter 5.0 --> "C:\Program Files\TrojanHunter 5.0\unins000.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows XP Media Center Edition 2005 KB912067 --> "C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (5)\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type635 / Error
Event Submitted/Written: 04/06/2008 04:40:54 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x016c1488.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type628 / Error
Event Submitted/Written: 04/06/2008 07:35:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application BCMWLTRY.EXE, version 3.100.64.1, faulting module BCMWLTRY.EXE, version 3.100.64.1, fault address 0x00011cd0.
Processing media-specific event for [BCMWLTRY.EXE!ws!]

Event Record #/Type626 / Error
Event Submitted/Written: 04/05/2008 09:46:23 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9d.ocx, version 9.0.47.0, fault address 0x00099a25.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type624 / Error
Event Submitted/Written: 04/05/2008 02:26:47 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type623 / Error
Event Submitted/Written: 04/05/2008 02:25:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6001 / Error
Event Submitted/Written: 04/06/2008 04:19:49 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
abp480n5
adpu160m
agp440
agpCPQ
Aha154x
aic78u2
aic78xx
AliIde
alim1541
amdagp
amsint
asc
asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Event Record #/Type6000 / Error
Event Submitted/Written: 04/06/2008 04:19:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%2

Event Record #/Type5993 / Error
Event Submitted/Written: 04/06/2008 04:17:48 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5984 / Error
Event Submitted/Written: 04/06/2008 03:58:32 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
abp480n5
adpu160m
agp440
agpCPQ
Aha154x
aic78u2
aic78xx
AliIde
alim1541
amdagp
AmdK8
amsint
asc
asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
Fips
hpn
i2omp
ini910u
IntelIde
mraid35x
ohci1394
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
tmtdi
TosIde
ultra
viaagp
ViaIde

Event Record #/Type5983 / Error
Event Submitted/Written: 04/06/2008 03:58:32 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-04-06 16:42:16 ------------

BC AdBot (Login to Remove)

 


#2 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 06 April 2008 - 06:58 PM

Apologies to all, I copied the wrong notepad. Here is the main text from dss.
Sorry and thanks again for your help!!!

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-06 16:41:36
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Trend Micro\Internet Security 2006\PcCtlCom.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2006\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 2006\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\Internet Security 2006\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\TEMP\BN6.tmp
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {E8CEF949-6287-48A4-808D-AE0164026F39} - C:\WINDOWS\system32\bat.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189227370\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{10327C61-9FCB-48EB-AEA8-AC2F227F093C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{42474D82-3CDA-4BB9-B550-42ECC6D347B2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{73F039B5-5F10-49B7-92BA-DA2A1F6DD8F8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\system32\WLCtrl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 2006\PcCtlCom.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 2006\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2006\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2006\tmproxy.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 8553 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Qxf86 - c:\windows\system32\drivers\qxf86.sys
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>

S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\35529E0B803
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\35529E0B803
Service: NIC1394


-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 15:58:21 376 --a------ C:\look.bat
2008-04-06 15:56:51 0 d-------- C:\WINDOWS\CSC
2008-04-05 00:04:24 21694 --a------ C:\Documents and Settings\Owner\cftmon.exe
2008-04-04 22:30:48 18432 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-04-03 09:53:29 0 d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-04-03 09:14:07 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-04-03 09:13:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad
2008-04-01 17:26:19 0 d-------- C:\Program Files\Enigma Software Group
2008-04-01 17:07:12 5120 --a------ C:\WINDOWS\system32\ftp33.dll
2008-03-31 16:38:52 88064 --a------ C:\WINDOWS\system32\bat.dll
2008-03-31 16:27:18 0 d-------- C:\Program Files\AntiVirusPro
2008-03-31 16:27:11 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-03-31 08:28:01 10752 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-31 08:28:01 26496 --a------ C:\WINDOWS\system32\drivers\Qxf86.sys
2008-03-30 12:45:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 12:10:03 0 d-------- C:\Logs


-- Find3M Report ---------------------------------------------------------------

2008-03-30 20:04:39 0 d-------- C:\Program Files\World of Warcraft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8CEF949-6287-48A4-808D-AE0164026F39}]
08/10/2004 12:00 PM 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 09:56 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 09:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 09:47 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1189227370\EE\AOLHostManager.exe" [11/03/2004 02:03 PM]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [10/18/2004 05:42 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/28/2005 09:05 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 04:16 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [12/05/2005 12:49 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/07/2007 09:57 PM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [01/23/2008 02:47 PM]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [09/09/2007 09:31 AM]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [04/04/2008 10:30 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"autoload"="C:\Documents and Settings\Owner\cftmon.exe" [04/05/2008 12:04 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/12/2007 06:27 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"autoload"="C:\Documents and Settings\Owner\cftmon.exe" [04/05/2008 12:04 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [9/7/2007 9:58:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdkms.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/06/2008 04:18 PM 10752 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxf86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8073 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-06 16:42:16 ------------

Attached Files



#3 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 06 April 2008 - 10:05 PM

Here is the log from a scan with Kaspersky online. TIA!

KASPERSKY ONLINE SCANNER REPORT
Sunday, April 06, 2008 8:02:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 687522


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 46623
Number of viruses found 8
Number of infected objects 62
Number of suspicious objects 0
Duration of the scan process 00:46:05

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\WINDOWS\temp\BN25.tmp Infected: Trojan-Downloader.Win32.Agent.mkb skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\BN2D.tmp Infected: Trojan-Downloader.Win32.Agent.mkb skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\BN30.tmp Infected: Trojan-Downloader.Win32.Agent.mkb skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\BN6.tmp Infected: Trojan-Downloader.Win32.Agent.mkb skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\BNC.tmp Infected: Trojan-Downloader.Win32.Agent.mkb skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\23.tmp Infected: Trojan-Downloader.Win32.Tiny.amc skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037287.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037311.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037323.dll Infected: not-a-virus:FraudTool.Win32.AntiVirPro.g skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037334.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037338.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037339.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037340.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037341.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037351.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037355.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037374.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0037378.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0038374.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0038378.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0039374.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0039383.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0039387.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0040383.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0040387.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0040404.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0040408.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0041404.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0041408.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0041413.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042413.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042417.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042424.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042428.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042436.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042440.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042496.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042500.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042528.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0042532.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0043528.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0043532.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0043553.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0043557.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0043564.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0043575.exe Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0044553.dll Infected: Trojan-Downloader.Win32.Mutant.bk skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0044557.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0044567.exe Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0045557.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0045601.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP163\A0045619.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP164\change.log Object is locked skipped

C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP164\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Mutant.dv skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A37093D3-8771-4E53-881D-7EBA67273B90}.crmlog Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\Qxf86.sys Object is locked skipped

C:\WINDOWS\system32\ftp33.dll Infected: Trojan-Downloader.Win32.Small.tra skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\WLCtrl32.dl_ Infected: Trojan-Downloader.Win32.Mutant.dv skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP164\change.log Object is locked skipped

Scan process completed.

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 16 April 2008 - 03:18 PM

MicheleKP

Sorry for the delay. Could you post a fresh Hijackthis log please?
Posted Image
Microsoft MVP - Windows Security

#5 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 16 April 2008 - 09:15 PM

Hi and thanks! I know you guys are swamped :-).

Here is a fresh scan from hijack this, I haven't used the computer since the last scan...


Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-16 19:09:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:05 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
O2 - BHO: (no name) - {E8CEF949-6287-48A4-808D-AE0164026F39} - C:\WINDOWS\system32\bat.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189227370\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10327C61-9FCB-48EB-AEA8-AC2F227F093C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{42474D82-3CDA-4BB9-B550-42ECC6D347B2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{73F039B5-5F10-49B7-92BA-DA2A1F6DD8F8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{10327C61-9FCB-48EB-AEA8-AC2F227F093C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7218 bytes

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-06 18:56:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 18:56:14 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 18:56:13 0 d-------- C:\WINDOWS\LastGood
2008-04-06 15:58:21 376 --a------ C:\look.bat
2008-04-06 15:56:51 0 d-------- C:\WINDOWS\CSC
2008-04-05 00:04:24 21694 --a------ C:\Documents and Settings\Owner\cftmon.exe
2008-04-04 22:30:48 18432 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-04-03 09:53:29 0 d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-04-03 09:14:07 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-04-03 09:13:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad
2008-04-01 17:26:19 0 d-------- C:\Program Files\Enigma Software Group
2008-04-01 17:07:12 5120 --a------ C:\WINDOWS\system32\ftp33.dll
2008-03-31 16:38:52 88064 --a------ C:\WINDOWS\system32\bat.dll
2008-03-31 16:27:18 0 d-------- C:\Program Files\AntiVirusPro
2008-03-31 16:27:11 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-03-31 08:28:01 10752 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-31 08:28:01 26496 --a------ C:\WINDOWS\system32\drivers\Qxf86.sys
2008-03-30 12:45:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 12:10:03 0 d-------- C:\Logs


-- Find3M Report ---------------------------------------------------------------

2008-04-16 19:09:48 0 d-------- C:\Program Files\Trend Micro
2008-04-06 18:38:17 0 d-------- C:\Program Files\World of Warcraft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8CEF949-6287-48A4-808D-AE0164026F39}]
08/10/2004 12:00 PM 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 09:56 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 09:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 09:47 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1189227370\EE\AOLHostManager.exe" [11/03/2004 02:03 PM]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [10/18/2004 05:42 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/28/2005 09:05 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 04:16 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [12/05/2005 12:49 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/07/2007 09:57 PM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [01/23/2008 02:47 PM]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [09/09/2007 09:31 AM]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [04/04/2008 10:30 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"autoload"="C:\Documents and Settings\Owner\cftmon.exe" [04/05/2008 12:04 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/12/2007 06:27 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"autoload"="C:\Documents and Settings\Owner\cftmon.exe" [04/05/2008 12:04 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [9/7/2007 9:58:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdkms.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/06/2008 04:18 PM 10752 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxf86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"




-- End of Deckard's System Scanner: finished at 2008-04-16 19:10:30 ------------

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 17 April 2008 - 09:34 AM

MicheleKP

1. Go HERE and download WormFix

Save it to your Desktop. But do not run it yet.

2. Reboot into Safe Mode
This can be done byRestart your PC, and after it starts, but before you see the Windows Splash screen
Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter
3. Close all Internet Explorer Windows and Run WormFixDouble click the WormFix.Zip file to unzip it.
Open the WormFix Folder
Double Click WormFix.vbe to run the program
Then Select O.K. at the prompt
Allow the program to run (Your desktop will disappear, then re-appear. This is normal)
When it is finished it wil produce a log C:\WormFix.txt
Copy and paste the results of that log in your reply
4. Then reboot your PC into Normal Windows Mode->> Rerun Hijackthis and post a fresh Hiajckthis log.
As well as the C:\WormFix.txt log
Posted Image
Microsoft MVP - Windows Security

#7 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 17 April 2008 - 05:26 PM

OK! I downloaded and ran wormfix, then re-ran Hijack this. The logs are below. In the interim, I did upgrade Internet Explorer to 7.0 and the Malicious software tool came with it. That found a few things as well.

Here are the logs, thanks again for all your help!!

WormFix log:


========================================
WormFix

Version 1.1.1

By bamajim @ CastleCops.com

========================================

C:\WINDOWS\SYSTEM32\WLCtrl32.dll Found!
C:\WINDOWS\SYSTEM32\WLCtrl32.dll Deleted!
C:\WINDOWS\system32\ftp33.dll Found!
C:\WINDOWS\system32\ftp33.dll Deleted!
C:\WINDOWS\system32\WLCtrl32.dll Found!
C:\WINDOWS\system32\WLCtrl32.dll Deleted!
C:\WINDOWS\system32\WLCtrl32.dl_ Found!
C:\WINDOWS\system32\WLCtrl32.dl_ Deleted!


Hijack This:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:41 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\118922~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\COMMON~1\AOL\118922~1\EE\AOLServiceHost.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {E8CEF949-6287-48A4-808D-AE0164026F39} - C:\WINDOWS\system32\bat.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189227370\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSI Configuration] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7837 bytes

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 17 April 2008 - 07:08 PM

MicheleKP

O.k. Let's continue

Let's Disable Trojan Hunter Guard
Go to TrojanHunter Guard in the lower right corner of your screen.
It is a light blue magnifying glass icon with a red handle.
Right click it and select Settings.
Uncheck Load at startup and Enabled.

2. Copy and paste the following into NotePad (Not Wordpad)sc stop Schedule
sc delete Schedule

Click File ->>Save as ->>type in cmd.batUnder "Save as type" Select "all files" ->>Save it to your Desktop
Close Notepad
The cmd.bat file should now appear on your Desktop (if it saved properly it should appear as a blue box with a gear in the middle of it)
Double Click that file (It will appear that nothing has happened, but that's o.k.)
3. Rerun Hijackthis (scan only) and place checks beside the following entriesF2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#9 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 17 April 2008 - 10:31 PM

Ok, here's the latest Hijack This! log, thanks yet again :-)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:49 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\BigFix\bigfix.exe
C:\Documents and Settings\Owner\Desktop\TIS1610_1063\Setup\setup.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6455
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {E8CEF949-6287-48A4-808D-AE0164026F39} - C:\WINDOWS\system32\bat.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSI Configuration] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SfCtlCom - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6529 bytes

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 18 April 2008 - 07:08 AM

MicheleKP

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#11 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 18 April 2008 - 08:35 AM

OK, ran combofix. Things are running smoother! Let me know if there is anything next.

Here's the log, thanks!!!!

ComboFix

ComboFix 08-04-17.1 - Owner 2008-04-18 8:56:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.415 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiVirusPro
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\Qxf86.sys
C:\WINDOWS\system32\drivers\WXEX60.sys
C:\WINDOWS\system32\msiconf.exe
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QXF86
-------\Legacy_WXEX60
-------\Service_Qxf86
-------\Service_Wxex60
-------\Service_WXEX60


((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 23:36 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-17 23:36 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-17 23:36 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-17 23:27 . 2008-04-17 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-17 18:44 . 2008-04-17 18:44 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-17 17:08 . 2008-04-18 08:53 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2008-04-17 17:08 . 2008-04-17 17:08 0 --a------ C:\30.tmp
2008-04-17 17:08 . 2008-04-17 17:08 0 --a------ C:\2F.tmp
2008-04-17 17:08 . 2008-04-17 17:08 0 --a------ C:\2E.tmp
2008-04-17 17:06 . 2008-04-17 17:08 47,104 --a------ C:\29.tmp
2008-04-17 17:06 . 2008-04-17 17:08 47,104 --a------ C:\20.tmp
2008-04-17 17:06 . 2008-04-17 17:06 0 --a------ C:\2A.tmp
2008-04-16 22:52 . 2008-04-17 17:06 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll
2008-04-16 22:44 . 2008-04-16 22:44 294 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-16 22:33 . 2008-03-01 09:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-16 22:33 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-16 22:33 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-16 22:33 . 2008-03-01 09:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-16 22:33 . 2008-03-01 09:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-16 22:33 . 2008-03-01 09:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-16 22:33 . 2008-03-01 09:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-16 22:33 . 2008-03-01 09:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-16 22:33 . 2008-02-22 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-16 22:29 . 2008-04-16 22:29 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 19:39 . 2008-04-06 19:39 <DIR> d-------- C:\Deckard
2008-04-06 18:58 . 2008-04-06 21:43 376 --a------ C:\look.bat
2008-04-06 05:58 . 2008-04-06 05:59 2 --a------ C:\34.tmp
2008-04-05 18:40 . 2008-04-05 18:41 2 --a------ C:\33.tmp
2008-04-05 18:39 . 2008-04-05 18:39 0 --a------ C:\32.tmp
2008-04-05 03:04 . 2008-04-05 03:04 21,694 --a------ C:\Documents and Settings\Owner\cftmon.exe
2008-04-05 01:57 . 2008-04-05 01:57 269,334 --a------ C:\WINDOWS\system32\pcfqlsb.bmp
2008-04-05 01:30 . 2008-04-05 01:30 269,334 --a------ C:\WINDOWS\system32\kbihsn.bmp
2008-04-03 12:53 . 2008-04-03 12:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-04-03 12:14 . 2008-04-03 12:14 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-03 12:13 . 2008-04-03 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad
2008-04-01 21:00 . 2008-04-01 21:00 0 --a------ C:\2D.tmp
2008-04-01 20:59 . 2008-04-01 20:59 0 --a------ C:\2C.tmp
2008-04-01 20:58 . 2008-04-01 20:59 2 --a------ C:\28.tmp
2008-04-01 20:58 . 2008-04-01 20:58 0 --a------ C:\21.tmp
2008-04-01 20:26 . 2008-04-01 20:26 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-01 20:12 . 2008-04-01 20:13 2 --a------ C:\27.tmp
2008-04-01 09:57 . 2008-04-01 09:58 2 --a------ C:\26.tmp
2008-04-01 09:57 . 2008-04-01 09:57 0 --a------ C:\25.tmp
2008-03-31 21:28 . 2008-03-31 21:28 0 --a------ C:\24.tmp
2008-03-31 21:28 . 2008-03-31 21:28 0 --a------ C:\23.tmp
2008-03-31 21:27 . 2008-03-31 21:27 0 --a------ C:\22.tmp
2008-03-31 21:26 . 2008-03-31 21:27 2 --a------ C:\1F.tmp
2008-03-31 21:26 . 2008-03-31 21:26 0 --a------ C:\1D.tmp
2008-03-31 21:26 . 2008-03-31 21:26 0 --a------ C:\1C.tmp
2008-03-31 21:24 . 2008-03-31 21:24 0 --a------ C:\1E.tmp
2008-03-31 21:23 . 2008-03-31 21:24 2 --a------ C:\1B.tmp
2008-03-31 21:23 . 2008-03-31 21:23 0 --a------ C:\1A.tmp
2008-03-31 21:23 . 2008-03-31 21:23 0 --a------ C:\15.tmp
2008-03-31 20:56 . 2008-03-31 20:56 0 --a------ C:\14.tmp
2008-03-31 20:55 . 2008-03-31 20:55 0 --a------ C:\E.tmp
2008-03-31 20:55 . 2008-03-31 20:55 0 --a------ C:\12.tmp
2008-03-31 20:54 . 2008-03-31 20:55 2 --a------ C:\7.tmp
2008-03-31 20:54 . 2008-03-31 20:54 0 --a------ C:\5.tmp
2008-03-31 20:54 . 2008-03-31 20:54 0 --a------ C:\4.tmp
2008-03-31 20:23 . 2008-03-31 20:23 269,334 --a------ C:\WINDOWS\system32\gfehob.bmp
2008-03-31 20:23 . 2008-03-31 20:24 2 --a------ C:\D.tmp
2008-03-31 20:23 . 2008-03-31 20:23 0 --a------ C:\6.tmp
2008-03-31 19:45 . 2008-03-31 19:45 2 --a------ C:\13.tmp
2008-03-31 19:43 . 2008-03-31 19:43 269,334 --a------ C:\WINDOWS\system32\idsjqhsj.bmp
2008-03-31 19:39 . 2008-03-31 19:39 0 --a------ C:\19.tmp
2008-03-31 19:39 . 2008-03-31 19:39 0 --a------ C:\18.tmp
2008-03-31 19:38 . 2004-08-10 15:00 88,064 --a------ C:\WINDOWS\system32\bat.dll
2008-03-31 19:38 . 2008-03-31 19:38 0 --a------ C:\16.tmp
2008-03-31 19:37 . 2008-03-31 19:37 269,334 --a------ C:\WINDOWS\system32\fmdkfihknmh.bmp
2008-03-31 19:37 . 2008-03-31 19:38 2 --a------ C:\C.tmp
2008-03-31 19:37 . 2008-03-31 19:37 0 --a------ C:\9.tmp
2008-03-31 19:37 . 2008-03-31 19:37 0 --a------ C:\8.tmp
2008-03-31 19:27 . 2008-03-31 20:23 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-03-31 19:27 . 2008-03-31 20:23 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-03-31 19:27 . 2008-03-31 19:27 29 --a------ C:\WINDOWS\system32\wfgqsita.tmp
2008-03-31 19:26 . 2008-03-31 19:26 269,334 --a------ C:\WINDOWS\system32\itcnmtobed.bmp
2008-03-31 19:23 . 2008-03-31 19:23 0 --a------ C:\F.tmp
2008-03-31 19:23 . 2008-03-31 19:23 0 --a------ C:\11.tmp
2008-03-31 19:23 . 2008-03-31 19:23 0 --a------ C:\10.tmp
2008-03-31 19:22 . 2008-03-31 19:22 2 --a------ C:\B.tmp
2008-03-31 19:22 . 2008-03-31 19:22 0 --a------ C:\A.tmp
2008-03-31 11:28 . 2008-03-31 11:28 2 --a------ C:\17.tmp
2008-03-30 15:45 . 2008-04-17 23:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-30 15:45 . 2008-04-17 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 15:10 . 2008-03-25 15:10 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 03:36 --------- d-----w C:\Program Files\Trend Micro
2008-04-18 03:14 --------- d-----w C:\Program Files\Pure Networks
2008-04-18 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-17 22:44 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-17 22:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-17 22:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-17 02:51 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-07 01:38 --------- d-----w C:\Program Files\World of Warcraft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22125D1D-7F23-42A6-A440-CDA087EE6414}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8CEF949-6287-48A4-808D-AE0164026F39}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 21:27 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 12:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 12:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 00:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-12-05 03:49 897089]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-08 00:57 98304]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxf86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-25 18:26]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 15:10]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 09:16:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-18 9:22:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 13:22:05

Pre-Run: 89,434,816,512 bytes free
Post-Run: 89,446,281,216 bytes free
.
2008-04-18 07:01:25 --- E O F ---

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 18 April 2008 - 08:52 AM

MicheleKP

Good glad to hear it.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word CODE)
File::
C:\30.tmp
C:\2F.tmp
C:\2E.tmp
C:\29.tmp
C:\20.tmp
C:\2A.tmp
C:\WINDOWS\system32\cbOCR.dll
C:\34.tmp
C:\33.tmp
C:\32.tmp
C:\WINDOWS\system32\pcfqlsb.bmp
C:\WINDOWS\system32\kbihsn.bmp
C:\Documents and Settings\Owner\cftmon.exe
C:\2D.tmp
C:\2C.tmp
C:\28.tmp
C:\21.tmp
C:\27.tmp
C:\26.tmp
C:\25.tmp
C:\24.tmp
C:\23.tmp
C:\22.tmp
C:\1F.tmp
C:\1D.tmp
C:\1C.tmp
C:\1E.tmp
C:\1B.tmp
C:\1A.tmp
C:\15.tmp
C:\14.tmp
C:\E.tmp
C:\12.tmp
C:\7.tmp
C:\5.tmp
C:\4.tmp
C:\WINDOWS\system32\gfehob.bmp
C:\D.tmp
C:\6.tmp
C:\13.tmp
C:\WINDOWS\system32\idsjqhsj.bmp
C:\19.tmp
C:\18.tmp
C:\16.tmp
C:\WINDOWS\system32\fmdkfihknmh.bmp
C:\C.tmp
C:\9.tmp
C:\8.tmp
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\wfgqsita.tmp
C:\WINDOWS\system32\itcnmtobed.bmp
C:\F.tmp
C:\11.tmp
C:\10.tmp
C:\B.tmp
C:\A.tmp
C:\17.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"=-
"Recguard"=-
"Broadcom Wireless Manager UI"=-
"UserFaultCheck"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-
"MSI Configuration"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxf86.sys]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#13 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 18 April 2008 - 12:24 PM

Ran the script you gave me, here's the latest log. What's next?

Thanks for everything!!!


ComboFix 08-04-17.1 - Owner 2008-04-18 11:45:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\10.tmp
C:\11.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\22.tmp
C:\23.tmp
C:\24.tmp
C:\25.tmp
C:\26.tmp
C:\27.tmp
C:\28.tmp
C:\29.tmp
C:\2A.tmp
C:\2C.tmp
C:\2D.tmp
C:\2E.tmp
C:\2F.tmp
C:\30.tmp
C:\32.tmp
C:\33.tmp
C:\34.tmp
C:\4.tmp
C:\5.tmp
C:\6.tmp
C:\7.tmp
C:\8.tmp
C:\9.tmp
C:\A.tmp
C:\B.tmp
C:\C.tmp
C:\D.tmp
C:\Documents and Settings\Owner\cftmon.exe
C:\E.tmp
C:\F.tmp
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\cbOCR.dll
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\fmdkfihknmh.bmp
C:\WINDOWS\system32\gfehob.bmp
C:\WINDOWS\system32\idsjqhsj.bmp
C:\WINDOWS\system32\itcnmtobed.bmp
C:\WINDOWS\system32\kbihsn.bmp
C:\WINDOWS\system32\pcfqlsb.bmp
C:\WINDOWS\system32\wfgqsita.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\10.tmp
C:\11.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\22.tmp
C:\23.tmp
C:\24.tmp
C:\25.tmp
C:\26.tmp
C:\27.tmp
C:\28.tmp
C:\29.tmp
C:\2A.tmp
C:\2C.tmp
C:\2D.tmp
C:\2E.tmp
C:\2F.tmp
C:\30.tmp
C:\32.tmp
C:\33.tmp
C:\34.tmp
C:\4.tmp
C:\5.tmp
C:\6.tmp
C:\7.tmp
C:\8.tmp
C:\9.tmp
C:\A.tmp
C:\B.tmp
C:\C.tmp
C:\D.tmp
C:\Documents and Settings\Owner\cftmon.exe
C:\E.tmp
C:\F.tmp
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\cbOCR.dll
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\fmdkfihknmh.bmp
C:\WINDOWS\system32\gfehob.bmp
C:\WINDOWS\system32\idsjqhsj.bmp
C:\WINDOWS\system32\itcnmtobed.bmp
C:\WINDOWS\system32\kbihsn.bmp
C:\WINDOWS\system32\pcfqlsb.bmp
C:\WINDOWS\system32\wfgqsita.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 23:36 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-17 23:36 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-17 23:36 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-17 23:27 . 2008-04-17 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-17 18:44 . 2008-04-17 18:44 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-16 22:44 . 2008-04-16 22:44 294 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-16 22:33 . 2008-03-01 09:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-16 22:33 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-16 22:33 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-16 22:33 . 2008-03-01 09:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-16 22:33 . 2008-03-01 09:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-16 22:33 . 2008-03-01 09:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-16 22:33 . 2008-03-01 09:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-16 22:33 . 2008-03-01 09:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-16 22:33 . 2008-02-22 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-16 22:29 . 2008-04-16 22:29 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 19:39 . 2008-04-06 19:39 <DIR> d-------- C:\Deckard
2008-04-06 18:58 . 2008-04-06 21:43 376 --a------ C:\look.bat
2008-04-03 12:53 . 2008-04-03 12:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-04-03 12:14 . 2008-04-03 12:14 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-03 12:13 . 2008-04-03 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad
2008-04-01 20:26 . 2008-04-01 20:26 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-31 19:38 . 2004-08-10 15:00 88,064 --a------ C:\WINDOWS\system32\bat.dll
2008-03-30 15:45 . 2008-04-17 23:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-30 15:45 . 2008-04-17 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 15:10 . 2008-03-25 15:10 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 03:36 --------- d-----w C:\Program Files\Trend Micro
2008-04-18 03:14 --------- d-----w C:\Program Files\Pure Networks
2008-04-18 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-17 22:44 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-17 22:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-17 22:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-17 02:51 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-07 01:38 --------- d-----w C:\Program Files\World of Warcraft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-18_ 9.20.52.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 13:15:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 13:59:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-18 13:15:55 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-18 13:59:49 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-18 13:15:55 65,536 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-18 13:59:49 65,536 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-18 13:15:55 311,296 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-18 13:59:49 311,296 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-18 12:45:56 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-18 13:21:48 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-18 12:45:56 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-18 13:21:48 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{020D9307-70DB-40D0-83A0-8A2CB2D2FF85}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22125D1D-7F23-42A6-A440-CDA087EE6414}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8CEF949-6287-48A4-808D-AE0164026F39}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 21:27 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 12:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 12:47 688218]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 00:05 344064]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-08 00:57 98304]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-25 18:26]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 15:10]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 11:52:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ntos.exe 571392 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-04-18 11:54:17
ComboFix-quarantined-files.txt 2008-04-18 15:54:08
ComboFix2.txt 2008-04-18 13:22:21

Pre-Run: 89,498,648,576 bytes free
Post-Run: 89,489,395,712 bytes free
.
2008-04-18 07:01:25 --- E O F ---

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 18 April 2008 - 01:38 PM

MichelePK

Good work, We need to make another script file.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\WINDOWS\system32\ntos.exe 

Folder::
C:\WINDOWS\system32\wsnpoem
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#15 MicheleKP

MicheleKP
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 18 April 2008 - 04:36 PM

Things are looking better :-). Here's the latest log...

You guys are the best...



ComboFix 08-04-17.1 - Owner 2008-04-18 17:29:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.612 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ntos.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 23:36 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-17 23:36 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-17 23:36 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-17 23:27 . 2008-04-17 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-17 18:44 . 2008-04-17 18:44 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-16 22:44 . 2008-04-16 22:44 294 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-16 22:33 . 2008-03-01 09:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-16 22:33 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-16 22:33 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-16 22:33 . 2008-03-01 09:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-16 22:33 . 2008-03-01 09:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-16 22:33 . 2008-03-01 09:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-16 22:33 . 2008-03-01 09:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-16 22:33 . 2008-03-01 09:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-16 22:33 . 2008-02-22 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-16 22:29 . 2008-04-16 22:29 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 19:39 . 2008-04-06 19:39 <DIR> d-------- C:\Deckard
2008-04-06 18:58 . 2008-04-06 21:43 376 --a------ C:\look.bat
2008-04-03 12:53 . 2008-04-03 12:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-04-03 12:14 . 2008-04-03 12:14 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-03 12:13 . 2008-04-03 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad
2008-04-01 20:26 . 2008-04-01 20:26 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-31 19:38 . 2004-08-10 15:00 88,064 --a------ C:\WINDOWS\system32\bat.dll
2008-03-30 15:45 . 2008-04-17 23:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-30 15:45 . 2008-04-17 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 15:10 . 2008-03-25 15:10 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 03:36 --------- d-----w C:\Program Files\Trend Micro
2008-04-18 03:14 --------- d-----w C:\Program Files\Pure Networks
2008-04-18 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-17 22:44 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-17 22:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-17 22:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-17 02:51 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-07 01:38 --------- d-----w C:\Program Files\World of Warcraft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-18_ 9.20.52.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 13:15:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 13:59:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-18 13:15:55 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-18 13:59:49 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-18 13:15:55 65,536 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-18 13:59:49 65,536 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-18 13:15:55 311,296 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-18 13:59:49 311,296 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-18 12:45:56 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-18 13:21:48 63,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-18 12:45:56 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-18 13:21:48 406,896 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{020D9307-70DB-40D0-83A0-8A2CB2D2FF85}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22125D1D-7F23-42A6-A440-CDA087EE6414}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8CEF949-6287-48A4-808D-AE0164026F39}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAA4392A-D22F-4E16-8AF2-BD4DD49902EC}]
2004-08-10 15:00 88064 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 21:27 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 12:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 12:47 688218]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 00:05 344064]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-08 00:57 98304]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-25 18:26]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 15:10]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 17:30:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-18 17:31:51
ComboFix-quarantined-files.txt 2008-04-18 21:31:48
ComboFix2.txt 2008-04-18 15:54:20
ComboFix3.txt 2008-04-18 13:22:21

Pre-Run: 89,473,851,392 bytes free
Post-Run: 89,466,494,976 bytes free
.
2008-04-18 07:01:25 --- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users