Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wowfx / Pesttrap Removal


  • Please log in to reply
1 reply to this topic

#1 Mat_with_2_many_cats

Mat_with_2_many_cats

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 07 April 2008 - 04:58 PM

Hiya all, thanks for the great work you are doing!!!!...
I have been asked to help clear off a nasty infection from a friends machine. Since following your instructions from other posts, i have managed to make some headway, but still have some problems.

I have pinpointed the issue to the following trojen(s)

wowfx error causing virus warning screen and an install of PestTrap.

I have run combofix which seems to have cleared the majority of issues, but now i have a background appearing on reboot which states the following:

"Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer."

I have run a number of removal tools to get rid of the screen appearing on startup, but none can stop it appearing. The background will appear briefly if set on last boot up, only to then be replaced with the above message a few seconds later.

I have enabled all items in the msConfig startup area then run hijackThis, log attached below, along with some other logs which may be of use. Please can anyone help?

Many thanks!! Matt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:54, on 2008-04-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
c:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\SYSTEM32\amdevt16.exe
C:\WINDOWS\system32\ICO.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SCFTrayStartUp] c:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ptask] C:\Program Files\AVSystemCare\ptask.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [MSCTFMON] C:\WINDOWS\SYSTEM32\amdevt16.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdvancedCleaner Free] "C:\Program Files\AdvancedCleaner Free\UADC.exe" /min
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Audio Filter.lnk = C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en
O16 - DPF: {EC55014B-4D8D-4C8E-AC98-BFA7C1B315F7} (PVRemoteViewX Control) - http://81.149.12.131/PVRemoteViewX.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - c:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - c:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

--
End of file - 12218 bytes






SmitFraudFix v2.309

Scan done at 22:30:08.89, 2008-04-07
Run from C:\Virus Removal\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\rashid iqbal


C:\Documents and Settings\rashid iqbal\Application Data


Start Menu


C:\DOCUME~1\RASHID~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS



Scanning for wininet.dll infection


End





ComboFix 08-04-04.1 - Administrator 2008-04-07 8:44:28.2 - NTFSx86 MINIMAL
Running from: F:\Cleaner2\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\rashid iqbal\Application Data\AVSystemCare
C:\Documents and Settings\rashid iqbal\Application Data\AVSystemCare\Logs\threats.log
C:\Documents and Settings\rashid iqbal\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\rashid iqbal\Application Data\install.dat
C:\Documents and Settings\rashid iqbal\Application Data\trant.exe
C:\Documents and Settings\rashid iqbal\Application Data\ultra
C:\Documents and Settings\rashid iqbal\Application Data\ultra\uninstall.bat
C:\Documents and Settings\rashid iqbal\ResErrors.log
C:\Program Files\Helper
C:\Program Files\Helper\bigsearchonline.dll
C:\Program Files\PestTrap
C:\Program Files\PestTrap\base.avd
C:\Program Files\PestTrap\base001.avd
C:\Program Files\PestTrap\base002.avd
C:\Program Files\PestTrap\found.wav
C:\Program Files\PestTrap\heur000.dll
C:\Program Files\PestTrap\heur001.dll
C:\Program Files\PestTrap\heur002.dll
C:\Program Files\PestTrap\heur003.dll
C:\Program Files\PestTrap\notfound.wav
C:\Program Files\PestTrap\PestTrap.dvm
C:\Program Files\PestTrap\PestTrap.exe
C:\Program Files\PestTrap\removed.wav
C:\Program Files\PestTrap\Uninstall.exe
C:\Program Files\Ultimate Defender
C:\Program Files\Ultimate Defender\UltimateDefender.pkg
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\cmprop.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\lnhimpbh.dat
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\update32.exe
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\xlibgfl254.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP
-------\Legacy_NTLOAD
-------\Service_ntload
-------\Service_vuwjwpxb
-------\Legacy_vuwjwpxb
-------\vuwjwpxb


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 08:31 . 2008-04-07 08:31 269,334 --a------ C:\WINDOWS\system32\ojmtgfqd.bmp
2008-04-06 22:53 . 2008-04-06 22:53 269,334 --a------ C:\WINDOWS\system32\cnmtsbapgn.bmp
2008-04-06 22:13 . 2008-04-06 22:13 269,334 --a------ C:\WINDOWS\system32\jmdonatsfmpsn.bmp
2008-04-06 21:56 . 2008-04-06 21:56 269,334 --a------ C:\WINDOWS\system32\idknelkf.bmp
2008-04-06 21:54 . 2008-04-07 08:31 142 --a------ C:\WINDOWS\ODBC.INI
2008-04-06 21:27 . 2008-04-06 21:27 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-06 21:25 . 2006-05-08 12:43 98,048 --a------ C:\WINDOWS\system32\drivers\scfdriver.sys
2008-04-06 21:24 . 2008-04-06 21:24 <DIR> d-------- C:\scf10
2008-04-06 21:24 . 2008-04-06 21:24 <DIR> d-------- C:\Program Files\Common Files\Sophos
2008-04-06 21:21 . 2008-04-06 21:24 <DIR> d-------- C:\Program Files\Sophos
2008-04-06 21:21 . 2008-04-06 21:21 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-04-06 21:21 . 2008-04-06 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-04-06 21:21 . 2006-05-08 12:00 15,872 --a------ C:\WINDOWS\system32\SophosBootTasks.exe
2008-04-06 21:20 . 2008-04-06 21:20 <DIR> d-------- C:\savxpsa
2008-04-06 21:20 . 2006-01-05 17:43 80,128 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-04-06 21:20 . 2006-01-05 17:43 24,064 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-04-06 21:18 . 2008-04-06 21:18 269,334 --a------ C:\WINDOWS\system32\filor.bmp
2008-04-06 21:09 . 2008-04-06 21:09 269,334 --a------ C:\WINDOWS\system32\idsnehorqpknqt.bmp
2008-04-06 20:58 . 2008-04-06 20:58 269,334 --a------ C:\WINDOWS\system32\cjalsn.bmp
2008-04-06 20:54 . 2008-04-06 20:54 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-06 20:49 . 2008-04-06 20:49 269,334 --a------ C:\WINDOWS\system32\hsnihon.bmp
2008-04-06 20:37 . 2008-04-06 20:37 269,334 --a------ C:\WINDOWS\system32\dorqhkjelknqh.bmp
2008-04-06 19:59 . 2008-04-06 18:49 0 --a------ C:\ComboFix.exe
2008-04-06 19:58 . 2008-04-06 19:58 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-06 19:48 . 2008-04-06 19:48 269,334 --a------ C:\WINDOWS\system32\idknalgnqlsn.bmp
2008-04-06 19:43 . 2008-04-06 19:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-06 19:29 . 2008-04-06 20:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 18:11 . 2008-04-06 18:11 0 --a------ C:\WINDOWS\system32\sex1.ico.tmp
2008-04-06 18:10 . 2008-04-06 18:10 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-04-06 18:08 . 2008-04-06 18:08 269,334 --a------ C:\WINDOWS\system32\beloretofqtsj.bmp
2008-04-06 17:50 . 2008-04-06 17:50 269,334 --a------ C:\WINDOWS\system32\rqlof.bmp
2008-04-06 17:41 . 2004-08-19 15:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-06 17:41 . 2004-08-19 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2008-04-06 17:14 . 2008-04-06 17:14 269,334 --a------ C:\WINDOWS\system32\onipojahofmh.bmp
2008-04-06 16:50 . 2008-04-06 16:50 269,334 --a------ C:\WINDOWS\system32\oredojed.bmp
2008-03-28 23:41 . 2008-03-28 23:41 269,334 --a------ C:\WINDOWS\system32\sbqtgnqtgnmh.bmp
2008-03-28 23:33 . 2008-03-28 23:33 0 --a------ C:\WINDOWS\system32\wscmp.dll.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 20:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-06 16:46 --------- d-----w C:\Program Files\AntiVirusPro
2008-04-06 16:13 --------- d-----w C:\Program Files\fwlfnfxy
2008-02-24 07:16 259,336 ----a-w C:\Documents and Settings\rashid iqbal\Application Data\setup_en[1].exe
2008-02-22 19:29 --------- d-----w C:\Program Files\Performanceoptimizer (Free)
2008-02-22 19:29 --------- d-----w C:\Documents and Settings\rashid iqbal\Application Data\WinIFixer.com
2008-02-22 02:34 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-13 20:49 --------- d-----w C:\Program Files\Virgin Broadband
2008-02-11 21:01 --------- d-----w C:\Documents and Settings\rashid iqbal\Application Data\Virgin Broadband
2008-02-11 20:54 --------- d-----w C:\Program Files\Raxco
2008-02-11 20:54 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-11 20:54 --------- d-----w C:\Program Files\Common Files\Authentium
2008-02-11 20:54 --------- d-----w C:\Program Files\CA
2008-02-11 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-02-11 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-02-11 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 20:51 --------- d-----w C:\Documents and Settings\rashid iqbal\Application Data\InstallShield
2008-02-05 21:51 28,896 ----a-w C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-01-23 19:05 77,890 ----a-w C:\WINDOWS\system32\amdevt16.exe
2008-01-20 10:39 1,345 ----a-w C:\Documents and Settings\rashid iqbal\xl10050.exe
2008-01-03 21:44 189,984 ----a-w C:\Documents and Settings\rashid iqbal\Application Data\install_en[1].exe
2008-01-03 21:41 189,984 ----a-w C:\Documents and Settings\rashid iqbal\Application Data\installax_en[1].exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 09:21 114688]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10 339968]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2004-06-29 21:45 180224]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2004-06-29 14:49 122880]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-06-29 13:17 147456]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 13:00 143360]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"bm"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [2008-02-05 22:51 28896]
"SCFTrayStartUp"="c:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe" [2006-05-08 12:53 208896]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 13:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"wave1"= SSMSFltr.dll
"mixer1"= SSMSFltr.dll
"VIDC.PVW2"= pvwv220.dll
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PMP4"= PV3Decoder.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\-FreedomNeedsReboot]
--a------ 2007-09-05 15:10 13552 C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdvancedCleaner Free]
C:\Program Files\AdvancedCleaner Free\UADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-08 09:38 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bikini]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 22:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
--a------ 2007-08-07 19:49 2061552 C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-30 11:40 380928 C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2002-03-14 16:46 45056 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCTFMON]
--a------ 2008-01-23 20:05 77890 C:\WINDOWS\SYSTEM32\amdevt16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCguard]
--a------ 2007-09-05 15:10 310000 C:\Program Files\Virgin Broadband\PCguard\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestTrap]
C:\Program Files\PestTrap\PestTrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]
C:\Program Files\AVSystemCare\ptask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-15 09:20 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-03-15 09:19 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM_IAN]
C:\Program Files\AdvancedCleaner Free\ian_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinIFixer]
C:\Program Files\WinIFixer\WinIFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Antivirus]
C:\Program Files\XP Antivirus\xpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\winav.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S1 SAVOnAccess Control;SAVOnAccess Control;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2006-01-05 17:43]
S1 SAVOnAccess Filter;SAVOnAccess Filter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2006-01-05 17:43]
S1 SCFDriver;SCF Kernel Driver;C:\WINDOWS\system32\Drivers\scfdriver.sys [2006-05-08 12:43]
S2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2000-12-07 16:51]
S2 Sophos Client Firewall Manager;Sophos Client Firewall Manager;"c:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe" [2006-05-08 12:34]
S2 Sophos Client Firewall;Sophos Client Firewall;"c:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe" [2006-05-08 12:48]
S2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-07-08 21:26]
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 13:00]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-07-08 21:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 07:43:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 08:46:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-07 8:47:47
ComboFix-quarantined-files.txt 2008-04-07 07:47:20
Pre-Run: 10,662,215,680 bytes free
Post-Run: 10,652,065,792 bytes free
.
2008-04-06 16:01:24 --- E O F ---

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 19 April 2008 - 03:33 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
As you can probably see our HijackThis Team is incredibly busy at the moment, but I apologise for the delay you have experienced. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A HijackThis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users