Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning: Spyware Threat Has Been Detected On Your Pc


  • This topic is locked This topic is locked
21 replies to this topic

#1 ucmeflyn

ucmeflyn

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 11 April 2008 - 06:18 PM

I have two computers in a 3 computer network that have been infected with malware. I'm going to work on 1 at a time...
First computer:
The desktop background has been replaced with a blue screen that states: Warning: Spyware Threat Has Been Detected On Your Pc. I keep getting popups to fix the problem. Internet has been disabled. Task manager says it's been locked by the administrator.
A little history! We had the follwing worm (W32/rontokbro.gen@MM) last week and it had replicated itself 980 times. AVG appeared to have fixed it for over a week and now this.

Below is my Deckards System Scan...

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3400+
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 382.42 MiB / 120.08 MiB
Pagefile Memory (total/avail): 918.59 MiB / 501.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.26 MiB

C: is Fixed (NTFS) - 144.61 GiB total, 81.86 GiB free.
D: is Fixed (FAT32) - 4.43 GiB total, 2.71 GiB free.
E: is CDROM (Unformatted)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Fixed (FAT32) - 37.25 GiB total, 19.44 GiB free.
K: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST3160212A - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 144.61 GiB - C:
\PARTITION1 - Unknown - 4.44 GiB - D:

\\.\PHYSICALDRIVE1 - FUJITSU MHV2040AH USB Device - 37.26 GiB - 1 partition
\PARTITION0 - Unknown - 37.26 GiB - J:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE6 - PNY USB 2.0 FD USB Device - 1961.06 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 1967.98 MiB - K:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1138754495\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1138754495\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"="C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe:*:Enabled:MediaManager Application"
"C:\\Documents and Settings\\Rebel.CAPTAINQUARTERS\\My Documents\\My Music\\Azureus\\Azureus.exe"="C:\\Documents and Settings\\Rebel.CAPTAINQUARTERS\\My Documents\\My Music\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Documents and Settings\\Rebel.CAPTAINQUARTERS\\My Documents\\Music\\Azureus\\Azureus.exe"="C:\\Documents and Settings\\Rebel.CAPTAINQUARTERS\\My Documents\\Music\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Soldat\\Soldat.exe"="C:\\Soldat\\Soldat.exe:*:Enabled:Soldat"
"C:\\Documents and Settings\\Rebel.CAPTAINQUARTERS\\My Documents\\My Music\\cpm sci\\Azureus\\Azureus.exe"="C:\\Documents and Settings\\Rebel.CAPTAINQUARTERS\\My Documents\\My Music\\cpm sci\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD:*:Enabled:Age of Empires II Expansion"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CAPTAINQUARTERS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rebel.CAPTAINQUARTERS
LOGONSERVER=\\CAPTAINQUARTERS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\;C:\Sun\SDK\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\REBEL~1.CAP\LOCALS~1\Temp
TMP=C:\DOCUME~1\REBEL~1.CAP\LOCALS~1\Temp
USERDOMAIN=CAPTAINQUARTERS
USERNAME=Rebel
USERPROFILE=C:\Documents and Settings\Rebel.CAPTAINQUARTERS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Little Beotch
Rebel.CAPTAINQUARTERS (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIM Toolbar 5.0 --> "C:\Program Files\AOL\AIM Toolbar 5.0\uninstall.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Azureus Vuze --> C:\Documents and Settings\Rebel.CAPTAINQUARTERS\My Documents\Music\Azureus\uninstall.exe
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
BounceBack Express --> C:\WINDOWS\BBUninstall.exe
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
Canon Camera Access Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{901F8ED7-13E8-43EF-B738-2FE89B0588EB} /l1033
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DBBF091-FACD-422C-B43C-786335BD5398}
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DiscAPI (Studio 10) --> MsiExec.exe /X{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Express Burn --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
Graph 4.3 --> "C:\Documents and Settings\Rebel.CAPTAINQUARTERS\My Documents\math\Graph\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Development Kit 5.0 Update 11 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150110}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java Platform, Enterprise Edition 5 SDK --> "C:\Sun\SDK\uninstall.exe" -javahome "C:\Program Files\Java\jdk1.5.0_11"
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JCreator LE 4.00 --> "C:\Program Files\Xinox Software\JCreatorV4LE\unins000.exe"
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (PINNACLESYS) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0x9 UNINSTALL
Pinnacle MediaServer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{460CE8B9-6EC2-458A-90D4-691631ECE9D9}\setup.exe" -l0x9 UNINSTALL
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
proDAD Heroglyph 2.5 --> "C:\Program Files\proDAD\Heroglyph-2.5\uninstall.exe" uninstall spcp PATHVERSION 2.5 MAINNAME Heroglyph
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RAPID (Studio 10) --> MsiExec.exe /X{EEECE229-49F6-4851-A73A-99B058221F8C}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458) -->
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Soldat 1.3.1 --> c:\Soldat\unins000.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Studio 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup2.exe" -l0x9 UNINSTALL
Studio 10 Bonus DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A012D9C-2E2E-405A-B87C-E909F5297C3F}\Setup.exe" -l0x9 UNINSTALL
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall "http://javadl-esd.sun.com/update/sdm20/sdm20.jnlp"
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2178 / Warning
Event Submitted/Written: 04/09/2008 05:13:24 PM
Event ID/Source: 19011 / MSSQL$PINNACLESYS
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2175 / Error
Event Submitted/Written: 04/07/2008 09:00:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2167 / Warning
Event Submitted/Written: 04/06/2008 06:11:19 PM
Event ID/Source: 19011 / MSSQL$PINNACLESYS
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2157 / Warning
Event Submitted/Written: 04/06/2008 08:18:03 AM
Event ID/Source: 19011 / MSSQL$PINNACLESYS
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2153 / Error
Event Submitted/Written: 04/06/2008 01:30:31 AM / 04/06/2008 01:30:32 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-06 08:30:31,114 CAPTAINQUARTERS [001600:001612] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2368) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type241622 / Error
Event Submitted/Written: 04/10/2008 05:08:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At1.job command failed to start due to the following error:
%%2147942402

Event Record #/Type241621 / Warning
Event Submitted/Written: 04/10/2008 11:06:53 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type241620 / Error
Event Submitted/Written: 04/10/2008 08:13:26 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type241612 / Error
Event Submitted/Written: 04/09/2008 05:33:20 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 30 minutes.
NtpClient has no source of accurate time.

Event Record #/Type241611 / Error
Event Submitted/Written: 04/09/2008 05:33:20 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)



-- End of Deckard's System Scanner: finished at 2008-04-11 16:07:32 ------------


Please help! My son needs his computer for a huge senior project due Monday!!!

Thanks,
ucmeflyn

Attached Files



BC AdBot (Login to Remove)

 


m

#2 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 14 April 2008 - 05:48 PM

Re: Warning: Spyware (SMITFRAUD)

Bump


I took it upon myself to do a little reseach and found that my computers were infected with the Smitfraud spyware. So I went into the help section found the info and managed to redicate the issue however, I still have a VERY SLOW computer and random Ad Pop-ups from something called Internet Speed Monitor. I search but have not found a fix. Bolow is my HJT log and attached scans from Smitfraud and AVG Anti-Spyware.

Please

Attached are the following:
AVG Spyware scan results
Smitfraud Fix Scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:21 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Java\jdk1.5.0_11\bin\javaw.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\QdrPack\QdrPack15.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
O1 - Hosts: "http://www.w3.org/TR/html4/loose.dtd">
O1 - Hosts: <html>
O1 - Hosts: <head>
O1 - Hosts: <script LANGUAGE="JavaScript">
O1 - Hosts: <!--
O1 - Hosts: if (window != top)
O1 - Hosts: top.location.href = location.href;
O1 - Hosts: // -->
O1 - Hosts: </script>
O1 - Hosts: <title>Site Unavailable</title>
O1 - Hosts: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O1 - Hosts: <style type="text/css">
O1 - Hosts: body{text-align:center;}
O1 - Hosts: .geohead {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;width:750px;margin:10px 0 10px 0;height:35px;}
O1 - Hosts: .geohead #geologo {width:270px;display:block; float:left; }
O1 - Hosts: .geohead #rightside {width:480px;display:block; float:right;border-bottom:1px solid #999999; height:27px;}
O1 - Hosts: .geohead #rightside #welcome {width:50%;display:block; float:left; text-align:left;}
O1 - Hosts: .geohead #rightside #wlinks {width:50%;display:block; float:right; text-align:right;}
O1 - Hosts: .ftr { margin:0px; color:#404040; font:x-small Arial,sans-serif; text-align:center; width:750px;}
O1 - Hosts: .bodywrap{display:block;height:470px;}
O1 - Hosts: .bodycnt{width:510px; display:block; float:left; background-color:#EEE9F5; height:auto; text-align:left; font-family:Arial, Helvetica, sans-serif;font-size:13px; color:#000000; padding:20px 20px 35px 20px;}
O1 - Hosts: .title { font-family:Arial, Helvetica, sans-serif; font-weight:bold; font-size:24px; color:#7C56A9}
O1 - Hosts: .adcnt{width:172px; display:block; float:right; text-align:left;cursor:pointer;cursor:hand;}
O1 - Hosts: .adcnt td {text-align:left;}
O1 - Hosts: .adsubt{font-size:10px; font-family:verdana; font-weight:bold; color:#b4b4b4; cursor:default;margin-top:5px;}
O1 - Hosts: .ybadge { font-family: Verdana, Arial, Helvetica, sans-serif; font-size:10px; color: #666666; margin-top:10px;}
O1 - Hosts: .ybadge img {margin-top:6px;}
O1 - Hosts: .adtable {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;border: 1px solid #d6dbe7; background-color:#eff7ff; padding:3px; margin-bottom:10px; width:172px;}
O1 - Hosts: .adttl{font-weight:bold;margin-bottom:3px;}
O1 - Hosts: .addescr{color:#6b6b6b; margin-bottom:3px;}
O1 - Hosts: .adlink a {color:#008200; text-decoration:none;}
O1 - Hosts: </style>
O1 - Hosts: </head>
O1 - Hosts: <body>
O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->
O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE -->
O1 - Hosts: <div id="maincnt">
O1 - Hosts: <div class="geohead"><div id="geologo"><a href="http://geocities.yahoo.com"><img height=33 alt="Yahoo! GeoCities" src="http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_geo_1.gif" width=259 border=0></a></div>
O1 - Hosts: <div id="rightside"><div id="wlinks"><a href="http://geocities.yahoo.com">GeoCities Home</a> - <a href="http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com/help/us/geo/">Help</a></div>
O1 - Hosts: </div></div>
O1 - Hosts: <div class="bodywrap">
O1 - Hosts: <div class="bodycnt">
O1 - Hosts: <div class="title">Sorry, this GeoCities site is currently unavailable.</div>
O1 - Hosts: <p>The GeoCities web site you were trying to view has temporarily exceeded its data transfer limit. Please try again later. </p>
O1 - Hosts: <p>Are you the site owner?
O1 - Hosts: Avoid service interruptions in the future by increasing your data transfer limit!
O1 - Hosts: <a href="http://help.yahoo.com/help/us/geo/transfer/transfer-05.html" target="_blank">Find out how.</a> </p>
O1 - Hosts: <p><a href="http://help.yahoo.com/help/us/geo/transfer/" target="_blank">Learn more about data transfer.</a></p>
O1 - Hosts: </div>
O1 - Hosts: <div class="adcnt">
O1 - Hosts: <a target="_top" href="http://geocities.yahoo.com"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/smbiz/b/geo_mast_small2.gif" alt="Yahoo! GeoCities" border="0" height="15" hspace="0" vspace="0" width="141"></a>
O1 - Hosts: <div class="adsubt">SPONSORED LINKS</div>
O1 - Hosts: <!--<table width="172" border="0" bgcolor="#FFFFFF" class="adtable"><tr><td align=left>-->
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl" title="Reliable plans include domain &amp; 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27166/*http://smallbusiness.yahoo.com/webhosting" target="_blank">Yahoo! Web Hosting<br>
O1 - Hosts: $25 Setup Waived</a></div>
O1 - Hosts: <div class="addescr" title="Reliable plans include domain &amp; 24x7 support.">Reliable plans include domain &amp; 24x7 support.</div>
O1 - Hosts: <div class="adlink" title="Reliable plans include domain &amp; 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27166/*http://smallbusiness.yahoo.com/webhosting" target="_blank">webhosting.yahoo.com</a></div>
O1 - Hosts: </div>
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl" title="Reliable plans include domain &amp; 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" target="_blank">Domain Names from Yahoo! only $9.95/yr</a></div>
O1 - Hosts: <div class="addescr" title="Includes starter web page, email & domain forwarding, 24x7 support.">Includes starter web page, email & domain forwarding, 24x7 support.</div>
O1 - Hosts: <div class="adlink" title="Includes starter web page, email & domain forwarding, 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" target="_blank">domains.yahoo.com</a></div>
O1 - Hosts: </div>
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl" title="Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27184/*http://smallbusiness.yahoo.com/mail" target="_blank">Yahoo! Business Email<br> Domain Included</a></div>
O1 - Hosts: <div class="addescr" title="Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning.">Setup fee waived. Up to 10 emails, SpamGuard, forwarding &amp; virus scanning.</div>
O1 - Hosts: <div class="adlink" title="Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27184/*http://smallbusiness.yahoo.com/mail" target="_blank">smallbusiness.yahoo.com</a></div>
O1 - Hosts: </div>
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl" title="$50 setup fee waived. A reliable ecommerce plan, 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=/27190/*http://smallbusiness.yahoo.com/merchant" target="_blank">Ecommerce from Yahoo!<br> 1 Month Free</a></div>
O1 - Hosts: <div class="addescr" title="$50 setup fee waived. A reliable ecommerce plan, 24x7 support.">$50 setup fee waived. A reliable ecommerce plan, 24x7 support.</div>
O1 - Hosts: <div class="adlink" title="$50 setup fee waived. A reliable ecommerce plan, 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=/27190/*http://smallbusiness.yahoo.com/merchant" target="_blank">smallbusiness.yahoo.com</a></div>
O1 - Hosts: </div>
O1 - Hosts: <div class="ybadge">
O1 - Hosts: Get your own web site at <br><a target="_top" href="http://geocities.yahoo.com">Yahoo! GeoCities</a>
O1 - Hosts: <a href="http://smallbusiness.yahoo.com/webhosting/" target="_top"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/badge_hostedby_purp_2.gif" alt="Hosted by Yahoo! Web Hosting" align="middle" border="0" height="31" width="88"></a>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: <div class=ftr>
O1 - Hosts: <hr size=1 width=100%>
O1 - Hosts: Copyright &copy;
O1 - Hosts: 2005 Yahoo! Inc. All rights reserved<br>
O1 - Hosts: <a href="http://privacy.yahoo.com/privacy/us/geo/">Privacy Policy</a>
O1 - Hosts: - <a href="http://docs.yahoo.com/info/copyright/copyright.html">Copyright Policy</a>
O1 - Hosts: - <a href="http://docs.yahoo.com/info/guidelines/community.html">Guidelines</a>
O1 - Hosts: - <a href="http://docs.yahoo.com/info/terms/geoterms.html">Terms of Service</a>
O1 - Hosts: - <a href="http://help.yahoo.com/help/us/geo/">Help</a>
O1 - Hosts: </div>
O1 - Hosts: </div>
O1 - Hosts: </body>
O1 - Hosts: </html>
O1 - Hosts: <!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
O1 - Hosts: <IMG SRC="http://geo.yahoo.com/serv?s=19190039&t=1206324526&f=us-w75" ALT=1 WIDTH=1 HEIGHT=1>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\REBEL~1.CAP\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.....;/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...60/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 18534 bytes

Attached Files



#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:27 AM

Posted 18 April 2008 - 10:09 PM

Hello ucmeflyn,

This computer is really infected, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.




Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT

You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. Please DO NOT attach it, as that makes it hard to read.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 April 2008 - 10:39 PM

Hi SifuMike,
Sorry for the delay, I will do as instructed and post the results tomorrow...

Thanks

#5 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 April 2008 - 11:22 PM

SifuMike,
OK, I'm a liitle scared! My son attempted to follow your instructions and messed up. I don't think he understood the recovery console part and thought combofix would ask to install it. Combofix ran OK and I have a log but his desktop is blank! He did not touch it after combofix was done and it's still on. Are we screwed? What do I do from here? Below is the combo fix log...

ComboFix 08-04-18.3 - Rebel 2008-04-19 20:57:03.1 - NTFSx86
Running from: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\textos.txt
C:\WINDOWS\winsb.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-13 21:24 . 2008-04-13 21:24 102 --a------ C:\WINDOWS\wininit.ini
2008-04-13 17:06 . 2008-04-13 17:06 <DIR> d-------- C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\Grisoft
2008-04-13 17:06 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-13 16:41 . 2008-04-13 16:41 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-13 14:09 . 2008-04-13 14:09 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 11:44 . 2008-04-13 17:17 3,732 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-11 16:04 . 2008-04-11 16:09 <DIR> d-------- C:\Deckard
2008-04-07 20:28 . 2008-04-07 20:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 01:31 . 2008-04-13 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 01:30 . 2008-04-06 01:30 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-06 01:30 . 2008-04-06 01:32 <DIR> d-------- C:\Program Files\Bat
2008-04-06 01:30 . 2008-04-13 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zopsnyvq
2008-04-06 01:30 . 2008-04-06 01:30 182,784 --a------ C:\WINDOWS\czgjknwv.dll
2008-04-06 01:28 . 2008-04-06 01:28 6,656 --a------ C:\WINDOWS\ons.dll
2008-03-26 21:37 . 2008-04-19 11:52 <DIR> d-------- C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\AVG7
2008-03-26 21:37 . 2008-04-13 13:40 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-26 21:36 . 2008-03-26 21:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-26 21:36 . 2008-04-13 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-26 21:36 . 2008-03-26 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 21:01 . 2008-03-26 21:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-26 19:50 . 2008-03-26 20:56 512 --a------ C:\WINDOWS\randseed.rnd
2008-03-26 19:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 03:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 03:31 --------- d-----w C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\LimeWire
2008-03-27 02:40 --------- d-----w C:\Program Files\Java
2008-03-27 02:06 --------- d-----w C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\AdobeUM
2008-03-17 01:22 --------- d-----w C:\Program Files\AIM6
2008-03-17 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-17 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-13 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\two setup mode load
2008-03-12 01:05 --------- d-----w C:\Program Files\BitDownload
2008-01-26 23:26 5,120 ----a-w C:\WINDOWS\rictions.dll
2008-01-26 23:26 5,120 ----a-w C:\info.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 11:03 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 09:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 09:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 09:32 86016]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 06:09 139264]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 15:07 90112 C:\WINDOWS\soundman.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 08:10 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-26 21:36 219136]

C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-04-06 01:29:53 178419]
SDK Tray Menu.lnk - C:\Program Files\Java\jdk1.5.0_11\bin\javaw.exe [2007-03-30 16:05:24 53346]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2004-02-23 08:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 23:13:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 21:02:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 21:11:59
ComboFix-quarantined-files.txt 2008-04-20 04:11:53

Pre-Run: 87,763,288,064 bytes free
Post-Run: 88,118,931,456 bytes free

172 --- E O F --- 2008-04-13 23:46:17

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:27 AM

Posted 19 April 2008 - 11:41 PM

Hello ucmeflyn,

OK, I'm a liitle scared! My son attempted to follow your instructions and messed up. I don't think he understood the recovery console part and thought combofix would ask to install it. Combofix ran OK and I have a log but his desktop is blank! He did not touch it after combofix was done and it's still on. Are we screwed? What do I do from here? Below is the combo fix log...


You should be scared!
Looks like you son was in a big rush and did not read and follow the instructions.

You may be screwed!

I warned you the Recovery Console was necessary but you chose to ignore it. Not good.
We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore.

after combofix was done and it's still on.


What is still on? ComboFix? or the Computer?



I will have to call out the cavalary and get back to you. This may take a while.


In the mean time, you just posted another log. http://www.bleepingcomputer.com/forums/t/142749/ive-been-hacked-my-email-ebay-and-paypal-passwords/

Is that the same computer or a different computer?
If it a different computer, the please mark it "second computer".
If it is the same computer, then edit the post and ask that it be deleted.

Edited by SifuMike, 20 April 2008 - 12:03 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 April 2008 - 11:46 PM

The combo fix log is still on the desktop but it looks like combofix closed. The computer is still on as well. I can see the background picture but no icons...

The other log is for my computer... I'll edit the post and state that...

Thanks!

I hope you can help...

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:27 AM

Posted 20 April 2008 - 12:31 AM

Hello ucmeflyn,

Try rebooting the computer and see if the icons return.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 April 2008 - 05:58 PM

Hi SifuMike,

Sorry for the delay but since I feared the computer might crash, I could not risk loosing all my sons info and schoolwork. I purchased an external hard drive and because I left the combofix log on the desktop, I was able to navigate in the save as feature, so I could copy and past all his important info to the external. I took awhile but it worked!

Now for the good news! Lucky me... I rebooted the computer and everything apears to be working normally.

Where do we go from here? You have the combofix log...

Thanks,
Dave

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:27 AM

Posted 20 April 2008 - 06:04 PM

Hello Dave,

Before we go on, you need to install Recovery Console.
It is our safety net. :thumbsup:
Please visit this webpage for instructions for installing Recovery Console: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You do not need windows CD to install Recover Console.

After you install recovery console, then run again ComboFix and post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 April 2008 - 07:08 PM

Hi SifuMike,

OK the windows recovery console worked as instructed. Here is the combofix log.

ComboFix 08-04-18.3 - Rebel 2008-04-20 16:47:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.85 [GMT -7:00]
Running from: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-13 21:24 . 2008-04-13 21:24 102 --a------ C:\WINDOWS\wininit.ini
2008-04-13 17:06 . 2008-04-13 17:06 <DIR> d-------- C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\Grisoft
2008-04-13 17:06 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-13 16:41 . 2008-04-13 16:41 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-13 14:09 . 2008-04-13 14:09 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 11:44 . 2008-04-13 17:17 3,732 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-11 16:04 . 2008-04-11 16:09 <DIR> d-------- C:\Deckard
2008-04-07 20:28 . 2008-04-07 20:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 01:31 . 2008-04-13 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 01:30 . 2008-04-06 01:30 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-06 01:30 . 2008-04-06 01:32 <DIR> d-------- C:\Program Files\Bat
2008-04-06 01:30 . 2008-04-13 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zopsnyvq
2008-04-06 01:30 . 2008-04-06 01:30 182,784 --a------ C:\WINDOWS\czgjknwv.dll
2008-04-06 01:28 . 2008-04-06 01:28 6,656 --a------ C:\WINDOWS\ons.dll
2008-03-26 21:37 . 2008-04-19 11:52 <DIR> d-------- C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\AVG7
2008-03-26 21:37 . 2008-04-13 13:40 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-26 21:36 . 2008-03-26 21:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-26 21:36 . 2008-04-13 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-26 21:36 . 2008-03-26 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 21:01 . 2008-03-26 21:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-26 19:50 . 2008-03-26 20:56 512 --a------ C:\WINDOWS\randseed.rnd
2008-03-26 19:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 03:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 03:31 --------- d-----w C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\LimeWire
2008-03-27 02:40 --------- d-----w C:\Program Files\Java
2008-03-27 02:06 --------- d-----w C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 01:22 --------- d-----w C:\Program Files\AIM6
2008-03-17 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-17 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-13 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\two setup mode load
2008-03-12 01:05 --------- d-----w C:\Program Files\BitDownload
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-26 23:26 5,120 ----a-w C:\WINDOWS\rictions.dll
2008-01-26 23:26 5,120 ----a-w C:\info.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_21.11.34.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-17 00:05:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 23:41:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 23:42:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_470.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 11:03 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 09:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 09:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 09:32 86016]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 06:09 139264]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 15:07 90112 C:\WINDOWS\soundman.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 08:10 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-26 21:36 219136]

C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-04-06 01:29:53 178419]
SDK Tray Menu.lnk - C:\Program Files\Java\jdk1.5.0_11\bin\javaw.exe [2007-03-30 16:05:24 53346]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2004-02-23 08:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 23:13:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 16:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 16:59:21
ComboFix-quarantined-files.txt 2008-04-20 23:59:19
ComboFix2.txt 2008-04-20 04:12:00

Pre-Run: 88,124,018,688 bytes free
Post-Run: 88,095,821,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

148 --- E O F --- 2008-04-13 23:46:17

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:27 AM

Posted 20 April 2008 - 09:16 PM

Hello Dave,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File::
C:\WINDOWS\system32\tmp.reg 
C:\WINDOWS\wininit.ini
C:\WINDOWS\czgjknwv.dll
C:\WINDOWS\ons.dll
C:\WINDOWS\rictions.dll
C:\info.exe

Folder:: 
C:\Program Files\Bat
C:\Documents and Settings\All Users\Application Data\zopsnyvq
C:\WINDOWS\uprjiefj

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 April 2008 - 10:34 PM

Hi SifuMike,

Everything seemed to run fine except after the reboot. I got a windows message while combofix was creating a log. It said Windows cannot open this file: bat.exe.vir. It gave me two options, let windows decide what it is and figure out what will open it or choose from a list. I hit OK because it already had let windows choose. The box then closed and nothing else came up.
Combo fix log completed and I noticed afterwards a new browser window had opened and it said windows could not identify the file. Not sure what this means to you...

FYI, when the computer rebooted and combo fix was still running, my son has AIM that auto loads and also I have a program that pops up and asks if you want to back-up your system. It's been so many days etc. you pick yes or no. These might be the reason the bat.exe.vir file showed up during the run.

Below is the combofix log and HJT log below that...

ComboFix 08-04-18.3 - Rebel 2008-04-20 20:00:18.3 - NTFSx86
Running from: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\info.exe
C:\WINDOWS\czgjknwv.dll
C:\WINDOWS\ons.dll
C:\WINDOWS\rictions.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\zopsnyvq
C:\info.exe
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\Program Files\Bat\Bat.dll.intermediate.manifest
C:\Program Files\Bat\Bat.exe
C:\Program Files\Bat\Bat.info
C:\Program Files\Bat\Bat.original
C:\Program Files\Bat\Info.dll
C:\Program Files\Bat\un_BatSetup_15041.exe
C:\Program Files\Bat\un_BatSetup_15041.txt
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Bat\X_Bat.log
C:\WINDOWS\czgjknwv.dll
C:\WINDOWS\ons.dll
C:\WINDOWS\rictions.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\uprjiefj
C:\WINDOWS\uprjiefj\1.png
C:\WINDOWS\uprjiefj\2.png
C:\WINDOWS\uprjiefj\3.png
C:\WINDOWS\uprjiefj\4.png
C:\WINDOWS\uprjiefj\5.png
C:\WINDOWS\uprjiefj\6.png
C:\WINDOWS\uprjiefj\7.png
C:\WINDOWS\uprjiefj\8.png
C:\WINDOWS\uprjiefj\9.png
C:\WINDOWS\uprjiefj\bottom-rc.gif
C:\WINDOWS\uprjiefj\config.png
C:\WINDOWS\uprjiefj\content.png
C:\WINDOWS\uprjiefj\download.gif
C:\WINDOWS\uprjiefj\frame-bg.gif
C:\WINDOWS\uprjiefj\frame-bottom-left.gif
C:\WINDOWS\uprjiefj\frame-h1bg.gif
C:\WINDOWS\uprjiefj\head.png
C:\WINDOWS\uprjiefj\icon.png
C:\WINDOWS\uprjiefj\indexwp.html
C:\WINDOWS\uprjiefj\main.css
C:\WINDOWS\uprjiefj\memory-prots.png
C:\WINDOWS\uprjiefj\net.png
C:\WINDOWS\uprjiefj\pc-mag.gif
C:\WINDOWS\uprjiefj\pc.gif
C:\WINDOWS\uprjiefj\poloska1.png
C:\WINDOWS\uprjiefj\poloska2.png
C:\WINDOWS\uprjiefj\poloska3.png
C:\WINDOWS\uprjiefj\promowp1.html
C:\WINDOWS\uprjiefj\promowp2.html
C:\WINDOWS\uprjiefj\promowp3.html
C:\WINDOWS\uprjiefj\promowp4.html
C:\WINDOWS\uprjiefj\promowp5.html
C:\WINDOWS\uprjiefj\reg.png
C:\WINDOWS\uprjiefj\repair.png
C:\WINDOWS\uprjiefj\scr-1.png
C:\WINDOWS\uprjiefj\scr-2.png
C:\WINDOWS\uprjiefj\start.png




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:31 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Bat\Bat.exe.vir
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...260/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9351 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:27 AM

Posted 20 April 2008 - 11:06 PM

Hi Dave,

It said Windows cannot open this file: bat.exe.vir.

That is OK, as it is a quarentined virus file.

Please post the entire ComobFix log. You posted only the top portion.
It should be called ComboFix3.txt

Edited by SifuMike, 20 April 2008 - 11:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ucmeflyn

ucmeflyn
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 April 2008 - 11:21 PM

Hi SifuMike,
Sorry about that, I thought I pasted the whole log... Here it is!

ComboFix 08-04-18.3 - Rebel 2008-04-20 20:00:18.3 - NTFSx86
Running from: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\info.exe
C:\WINDOWS\czgjknwv.dll
C:\WINDOWS\ons.dll
C:\WINDOWS\rictions.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\zopsnyvq
C:\info.exe
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\Program Files\Bat\Bat.dll.intermediate.manifest
C:\Program Files\Bat\Bat.exe
C:\Program Files\Bat\Bat.info
C:\Program Files\Bat\Bat.original
C:\Program Files\Bat\Info.dll
C:\Program Files\Bat\un_BatSetup_15041.exe
C:\Program Files\Bat\un_BatSetup_15041.txt
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Bat\X_Bat.log
C:\WINDOWS\czgjknwv.dll
C:\WINDOWS\ons.dll
C:\WINDOWS\rictions.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\uprjiefj
C:\WINDOWS\uprjiefj\1.png
C:\WINDOWS\uprjiefj\2.png
C:\WINDOWS\uprjiefj\3.png
C:\WINDOWS\uprjiefj\4.png
C:\WINDOWS\uprjiefj\5.png
C:\WINDOWS\uprjiefj\6.png
C:\WINDOWS\uprjiefj\7.png
C:\WINDOWS\uprjiefj\8.png
C:\WINDOWS\uprjiefj\9.png
C:\WINDOWS\uprjiefj\bottom-rc.gif
C:\WINDOWS\uprjiefj\config.png
C:\WINDOWS\uprjiefj\content.png
C:\WINDOWS\uprjiefj\download.gif
C:\WINDOWS\uprjiefj\frame-bg.gif
C:\WINDOWS\uprjiefj\frame-bottom-left.gif
C:\WINDOWS\uprjiefj\frame-h1bg.gif
C:\WINDOWS\uprjiefj\head.png
C:\WINDOWS\uprjiefj\icon.png
C:\WINDOWS\uprjiefj\indexwp.html
C:\WINDOWS\uprjiefj\main.css
C:\WINDOWS\uprjiefj\memory-prots.png
C:\WINDOWS\uprjiefj\net.png
C:\WINDOWS\uprjiefj\pc-mag.gif
C:\WINDOWS\uprjiefj\pc.gif
C:\WINDOWS\uprjiefj\poloska1.png
C:\WINDOWS\uprjiefj\poloska2.png
C:\WINDOWS\uprjiefj\poloska3.png
C:\WINDOWS\uprjiefj\promowp1.html
C:\WINDOWS\uprjiefj\promowp2.html
C:\WINDOWS\uprjiefj\promowp3.html
C:\WINDOWS\uprjiefj\promowp4.html
C:\WINDOWS\uprjiefj\promowp5.html
C:\WINDOWS\uprjiefj\reg.png
C:\WINDOWS\uprjiefj\repair.png
C:\WINDOWS\uprjiefj\scr-1.png
C:\WINDOWS\uprjiefj\scr-2.png
C:\WINDOWS\uprjiefj\start.png
C:\WINDOWS\uprjiefj\styles.css
C:\WINDOWS\uprjiefj\Thumbs.db
C:\WINDOWS\uprjiefj\top-rc.gif
C:\WINDOWS\uprjiefj\vline.gif
C:\WINDOWS\uprjiefj\wp.png
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-13 17:06 . 2008-04-13 17:06 <DIR> d-------- C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\Grisoft
2008-04-13 17:06 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-13 16:41 . 2008-04-13 16:41 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-13 14:09 . 2008-04-13 14:09 <DIR> d-------- C:\Program Files\Panda Security
2008-04-11 16:04 . 2008-04-11 16:09 <DIR> d-------- C:\Deckard
2008-04-07 20:28 . 2008-04-07 20:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 01:31 . 2008-04-13 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-26 21:37 . 2008-04-19 11:52 <DIR> d-------- C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\AVG7
2008-03-26 21:37 . 2008-04-13 13:40 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-26 21:36 . 2008-03-26 21:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-26 21:36 . 2008-04-13 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-26 21:36 . 2008-03-26 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 21:01 . 2008-03-26 21:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-26 19:50 . 2008-03-26 20:56 512 --a------ C:\WINDOWS\randseed.rnd
2008-03-26 19:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 03:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 03:31 --------- d-----w C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\LimeWire
2008-03-27 02:40 --------- d-----w C:\Program Files\Java
2008-03-27 02:06 --------- d-----w C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Application Data\AdobeUM
2008-03-17 01:22 --------- d-----w C:\Program Files\AIM6
2008-03-17 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-17 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-13 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\two setup mode load
2008-03-12 01:05 --------- d-----w C:\Program Files\BitDownload
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_21.11.34.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-17 00:05:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 03:05:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 03:07:06 49,152 ----a-w C:\WINDOWS\TEMP\CompiledAdapter.dll
+ 2008-04-21 03:05:41 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 11:03 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 09:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 09:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 09:32 86016]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 06:09 139264]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 15:07 90112 C:\WINDOWS\soundman.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 08:10 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-26 21:36 219136]

C:\Documents and Settings\Rebel.CAPTAINQUARTERS\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Bat\Bat.exe.vir [2008-04-06 01:29:53 178419]
SDK Tray Menu.lnk - C:\Program Files\Java\jdk1.5.0_11\bin\javaw.exe [2007-03-30 16:05:24 53346]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2004-02-23 08:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 23:13:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 20:06:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AOL\AIM Toolbar 5.0\AolTbServer.exe
.
**************************************************************************
.
Completion time: 2008-04-20 20:18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 03:18:55
ComboFix2.txt 2008-04-20 23:59:22
ComboFix3.txt 2008-04-20 04:12:00

Pre-Run: 88,108,859,392 bytes free
Post-Run: 88,126,353,408 bytes free

219 --- E O F --- 2008-04-13 23:46:17




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users