Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans/blue Screen


  • Please log in to reply
15 replies to this topic

#1 NeRo9k

NeRo9k

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 14 April 2008 - 09:37 PM

Hi, I've been having a lot of problems lately. I've ran a lot of adaware programs and none of them are giving much info. I get a ton of pop ups from AVG about trojans; and, when running AVG anti-spyware, it mentions I have a lot of unknown DLL's that are locked and arn't able to scan. Today, when I got home I turned comp on, it ran a bunch of scans before loading the windows icons then shut off to the blue screen of death, something about C000021 {FATAL SYSTEM ERROR}, I don't remember the exact numbers. Here are my logs. Thanks for any help!

Deckard's System Scanner v20071014.68
Run by Derek Kuehn on 2008-04-14 21:27:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
56: 2008-04-15 02:27:59 UTC - RP325 - Deckard's System Scanner Restore Point
55: 2008-04-13 22:57:07 UTC - RP324 - Last known good configuration
54: 2008-04-13 22:57:00 UTC - RP323 - Software Distribution Service 3.0
53: 2008-04-13 22:57:00 UTC - RP322 - System Checkpoint
52: 2008-04-13 22:57:00 UTC - RP321 - Installed Razer


-- First Restore Point --
1: 2008-04-13 22:56:51 UTC - RP270 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Derek Kuehn.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:16 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\program files\steam\steam.exe
C:\Program Files\distributed.net\dnetc.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\Derek Kuehn\Local Settings\Temporary Internet Files\Content.IE5\RC24T8XW\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Derek Kuehn.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9ABDEAB4-A0D0-481F-B4BC-66772EDC93C7} - C:\WINDOWS\system32\rqRIyxUK.dll (file missing)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - C:\WINDOWS\system32\cbXRHwvv.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [HTV Agent] C:\Program Files\HTV\HTV.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [bEbLUTL6RY] C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O4 - Global Startup: distributed.net client.lnk = C:\Program Files\distributed.net\dnetc.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O13 - WWW Prefix:
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O20 - Winlogon Notify: cbXRHwvv - cbXRHwvv.dll (file missing)
O20 - Winlogon Notify: __c0053089 - C:\WINDOWS\system32\__c0053089.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8207 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080404-004851-629 O21 - SSODL: fkdnrwsv - {7A4833C9-E5EB-453C-BF45-47B43D4AF9D9} - C:\WINDOWS\fkdnrwsv.dll
backup-20080404-004851-730 O21 - SSODL: sxfnewqb - {EF61FB5E-2429-4AD8-ABDF-94AD91CED260} - C:\WINDOWS\sxfnewqb.dll (file missing)
backup-20080404-005004-145 O21 - SSODL: fkdnrwsv - {206E79F1-3AAB-40B8-A04A-3384C75567FC} - C:\WINDOWS\fkdnrwsv.dll
backup-20080404-005004-152 O4 - HKLM\..\Policies\Explorer\Run: [bEbLUTL6RY] C:\Documents and Settings\All Users\Application Data\snkvepmt\uxcpwlav.exe
backup-20080404-005004-233 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
backup-20080404-005004-483 O4 - HKCU\..\Run: [A00FB9723E.exe] C:\DOCUME~1\DEREKK~1\LOCALS~1\Temp\_A00FB9723E.exe
backup-20080404-005004-627 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080404-005004-894 O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
backup-20080404-005004-938 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 Razerlow (Razerlow USB Filter Driver) - c:\windows\system32\drivers\razerlow.sys <Not Verified; Razer (Asia-Pacific) Pte Ltd; Diamondback USB Optical Mouse>
R3 rt2500usb (RT2500 USB Wireless LAN Driver) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>

S3 catchme - c:\docume~1\derekk~1\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0001
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0001
Service: hamachi


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 01:51:00 282 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-10-05 01:17:32 404 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 21:16:26 90112 --a------ C:\WINDOWS\system32\ufsponun.exe
2008-04-13 17:57:40 3648 --a------ C:\WINDOWS\system32\fcsqalee.dll
2008-04-13 17:56:41 175065 --ahs---- C:\WINDOWS\system32\KUxyIRqr.ini2
2008-04-13 17:52:19 0 d-------- C:\Documents and Settings\All Users\Application Data\hqvoxedm
2008-04-13 17:51:41 245760 --a------ C:\WINDOWS\ogxtsepr.dll
2008-04-13 17:51:41 229376 --a------ C:\WINDOWS\dsktbwfe.dll
2008-04-13 17:45:22 0 d-------- C:\Program Files\HTV
2008-04-08 01:17:23 2022 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 01:16:54 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-08 01:16:54 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-08 01:16:54 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-08 01:16:53 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-08 01:16:53 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-08 01:16:53 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 01:16:52 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 02:51:42 57 --a------ C:\xcrashdump.dat
2008-04-05 01:16:35 0 d-------- C:\Program Files\Razer
2008-04-04 01:23:54 0 d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Grisoft
2008-04-04 01:03:56 0 d-------- C:\Documents and Settings\Derek Kuehn\.housecall6.6
2008-04-04 00:59:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 00:59:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 00:56:26 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 00:55:45 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-04 00:55:45 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-04 00:55:45 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-04 00:55:45 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-04 00:55:45 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-04 00:55:43 0 d-------- C:\Program Files\Trojan Remover
2008-04-04 00:55:43 0 d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Simply Super Software
2008-04-04 00:55:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-04 00:53:54 0 d-------- C:\Program Files\CA
2008-04-03 23:45:56 0 d-------- C:\Program Files\distributed.net
2008-03-27 23:12:26 0 d-------- C:\Program Files\Steam
2008-03-17 00:22:37 0 d-------- C:\Program Files\DotA Gaming Network


-- Find3M Report ---------------------------------------------------------------

2008-04-14 21:28:02 0 d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Orbit
2008-04-14 02:28:51 4340 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-14 01:42:15 0 d-------- C:\Program Files\Warcraft III
2008-04-10 23:37:48 0 d-------- C:\Program Files\UltimateZip 2007
2008-04-05 01:16:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-04 11:15:04 0 d-------- C:\Program Files\Winamp
2008-04-04 01:03:32 0 d-------- C:\Program Files\Common Files
2008-04-04 00:25:19 0 d-------- C:\Program Files\Free Music Zilla
2008-04-04 00:10:54 0 d-------- C:\Program Files\mIRC
2008-04-04 00:09:37 0 d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Uniblue
2008-03-25 20:21:57 0 d-------- C:\Program Files\Orbitdownloader
2008-03-15 00:08:57 0 d-------- C:\Program Files\BitPim
2008-03-11 19:45:59 0 d-------- C:\Program Files\Starcraft
2008-03-08 22:30:59 0 d-------- C:\Documents and Settings\Derek Kuehn\Application Data\FMZilla
2008-02-29 01:42:49 0 d-------- C:\Program Files\Trend Micro
2008-02-29 01:41:45 0 d-------- C:\Program Files\Opera
2008-02-29 00:53:35 0 d-------- C:\Program Files\Sun
2008-02-29 00:53:29 0 d-------- C:\Program Files\Java
2008-02-29 00:26:34 0 d-------- C:\Program Files\Viewpoint
2008-02-29 00:15:34 0 d-------- C:\Program Files\SpywareBlaster
2008-02-27 23:32:14 67858 --a------ C:\WINDOWS\War3Unin.dat
2008-02-26 22:55:00 0 d-------- C:\Program Files\Verizon Wireless
2008-02-26 21:55:05 0 d-------- C:\Program Files\AviSynth 2.5
2008-02-26 21:54:47 0 d-------- C:\Program Files\eRightSoft
2008-02-26 18:38:07 0 d-------- C:\Program Files\XoftSpySE
2008-02-19 00:51:39 0 d-------- C:\Program Files\AIM6
2008-02-17 01:45:06 0 d-------- C:\Documents and Settings\Derek Kuehn\Application Data\GRETECH
2008-02-17 01:43:56 0 d-------- C:\Program Files\GRETECH
2008-02-04 14:26:34 151040 --ahs---- C:\WINDOWS\system32\VistaUltm.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ABDEAB4-A0D0-481F-B4BC-66772EDC93C7}]
C:\WINDOWS\system32\rqRIyxUK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}]
C:\WINDOWS\system32\cbXRHwvv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 04:20 PM C:\WINDOWS\stsystra.exe]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM]
"ASM"="C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" [11/07/2006 03:11 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/22/2007 01:26 AM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"RegistryMechanic"="" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/15/2008 05:54 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 04:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/13/2006 07:25 PM]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [03/27/2008 06:10 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"razer"="C:\Program Files\Razer\razerhid.exe" [05/17/2005 06:21 PM]
"HTV Agent"="C:\Program Files\HTV\HTV.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [09/05/2007 03:43 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 01:32 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 11:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"Steam"="c:\program files\steam\steam.exe" [03/27/2008 11:12 PM]

C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2/26/2008 10:55:00 PM]
Monitor.lnk - C:\Program Files\802.11g Wireless LAN\Monitor.exe [7/20/2004 4:32:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
distributed.net client.lnk - C:\Program Files\distributed.net\dnetc.exe [7/5/2007 2:10:18 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"bEbLUTL6RY"=C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}"= C:\WINDOWS\system32\cbXRHwvv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRHwvv]
cbXRHwvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0053089]
C:\WINDOWS\system32\__c0053089.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRIyxUK

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEx]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s




-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 apps.deskwizz.com # ***Inserted By STOPzilla***
127.0.0.1 awmdabest.com # ***Inserted By STOPzilla***
127.0.0.1 b.casalemedia.com # ***Inserted By STOPzilla***

100 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-14 21:30:32 ------------

Edited by NeRo9k, 14 April 2008 - 09:39 PM.


BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 15 April 2008 - 02:16 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Please post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 15 April 2008 - 08:32 AM

Thank you for all your help.

ComboFix 08-04-14.2 - Derek Kuehn 2008-04-15 8:12:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.360 [GMT -5:00]
Running from: C:\Documents and Settings\Derek Kuehn\Desktop\Derek\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\KUxyIRqr.ini
C:\WINDOWS\system32\KUxyIRqr.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\Packet.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 01:33 . 2008-04-15 01:33 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-15 01:32 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-15 01:26 . 2008-04-15 01:26 <DIR> dr-h----- C:\MSOCache
2008-04-14 22:23 . 2008-04-14 22:23 90,112 --a------ C:\WINDOWS\system32\cjqvsfod.exe
2008-04-14 21:27 . 2008-04-14 21:27 <DIR> d-------- C:\Deckard
2008-04-13 17:57 . 2008-04-13 17:57 3,648 --a------ C:\WINDOWS\system32\fcsqalee.dll
2008-04-13 17:52 . 2008-04-13 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hqvoxedm
2008-04-13 17:45 . 2008-04-13 18:19 <DIR> d-------- C:\Program Files\HTV
2008-04-08 01:17 . 2008-04-13 18:28 2,022 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 01:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 01:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 01:16 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 01:16 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 01:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 01:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 01:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-05 01:16 . 2008-04-05 01:16 <DIR> d-------- C:\Program Files\Razer
2008-04-05 01:16 . 2004-12-16 22:52 53,248 --a------ C:\WINDOWS\system32\razer.cpl
2008-04-04 01:23 . 2008-04-04 01:23 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Grisoft
2008-04-04 01:23 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-04 01:03 . 2008-04-04 11:17 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\.housecall6.6
2008-04-04 01:03 . 2008-04-04 01:03 0 --a------ C:\WINDOWS\PestPatrol5.INI
2008-04-04 00:59 . 2008-04-04 00:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 00:59 . 2008-04-04 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 00:56 . 2008-04-05 00:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 00:55 . 2008-04-04 00:56 <DIR> d-------- C:\Program Files\Trojan Remover
2008-04-04 00:55 . 2008-04-04 00:55 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Simply Super Software
2008-04-04 00:55 . 2008-04-04 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-04 00:55 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-04 00:55 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-04 00:55 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-04 00:55 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-04 00:55 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-04-04 00:53 . 2008-04-04 00:53 <DIR> d-------- C:\Program Files\CA
2008-04-03 23:45 . 2008-04-04 06:42 <DIR> d-------- C:\Program Files\distributed.net
2008-03-27 23:12 . 2008-04-14 22:23 <DIR> d-------- C:\Program Files\Steam
2008-03-17 00:22 . 2008-04-04 08:30 <DIR> d-------- C:\Program Files\DotA Gaming Network
2008-03-17 00:22 . 1996-05-03 21:05 28,672 --a------ C:\WINDOWS\system32\MsgHoo32.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-15 06:12 --------- d-----w C:\Program Files\Warcraft III
2008-04-15 02:30 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\Orbit
2008-04-11 04:37 --------- d-----w C:\Program Files\UltimateZip 2007
2008-04-09 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 16:15 --------- d-----w C:\Program Files\Winamp
2008-04-04 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-04 05:25 --------- d-----w C:\Program Files\Free Music Zilla
2008-04-04 05:10 --------- d-----w C:\Program Files\mIRC
2008-04-04 05:09 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\Uniblue
2008-03-26 01:21 --------- d-----w C:\Program Files\Orbitdownloader
2008-03-15 05:08 --------- d-----w C:\Program Files\BitPim
2008-03-12 00:45 --------- d-----w C:\Program Files\Starcraft
2008-03-09 03:30 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\FMZilla
2008-02-29 06:42 --------- d-----w C:\Program Files\Trend Micro
2008-02-29 06:41 --------- d-----w C:\Program Files\Opera
2008-02-29 05:53 --------- d-----w C:\Program Files\Sun
2008-02-29 05:53 --------- d-----w C:\Program Files\Java
2008-02-29 05:26 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 05:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 03:55 --------- d-----w C:\Program Files\Verizon Wireless
2008-02-27 02:55 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-27 02:54 --------- d-----w C:\Program Files\eRightSoft
2008-02-26 23:38 --------- d-----w C:\Program Files\XoftSpySE
2008-02-19 05:51 --------- d-----w C:\Program Files\AIM6
2008-02-19 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-17 06:45 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\GRETECH
2008-02-17 06:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-02-17 06:43 --------- d-----w C:\Program Files\GRETECH
2007-09-09 01:26 56 --sh--r C:\WINDOWS\system32\90C7238670.sys
2007-03-11 22:37 88 --sh--r C:\WINDOWS\system32\FE8307644B.sys
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ABDEAB4-A0D0-481F-B4BC-66772EDC93C7}]
C:\WINDOWS\system32\rqRIyxUK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 15:43 1261384]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 16:20 339968 C:\WINDOWS\stsystra.exe]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 01:26 579072]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"RegistryMechanic"="" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-13 19:25 98304]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-03-27 18:10 874064]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"HTV Agent"="C:\Program Files\HTV\HTV.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 19:34 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-07 09:33 219136]

C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\802.11g Wireless LAN\Monitor.exe [2004-07-20 16:32:12 897024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
distributed.net client.lnk - C:\Program Files\distributed.net\dnetc.exe [2007-07-05 02:10:18 214528]
mirc.exe.lnk - C:\ircN\system\mirc.exe [2006-10-29 12:38:30 2023424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bEbLUTL6RY"= C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRHwvv]
cbXRHwvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0053089]
C:\WINDOWS\system32\__c0053089.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Derek Kuehn^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASM]
--a------ 2006-11-07 15:11 2500096 C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 16:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 10:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-13 19:25 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-06-13 19:25 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-11-21 21:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2005-11-22 09:34 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEx]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 23:12 1271032 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-09-05 15:43]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 06:51:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-05 06:17:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 08:18:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-04-15 8:22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 13:22:28

Pre-Run: 25,772,228,608 bytes free
Post-Run: 25,700,159,488 bytes free
.
2008-04-09 19:26:01 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:32 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\distributed.net\dnetc.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9ABDEAB4-A0D0-481F-B4BC-66772EDC93C7} - C:\WINDOWS\system32\rqRIyxUK.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [HTV Agent] C:\Program Files\HTV\HTV.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [bEbLUTL6RY] C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O4 - Global Startup: distributed.net client.lnk = C:\Program Files\distributed.net\dnetc.exe
O4 - Global Startup: mirc.exe.lnk = C:\ircN\system\mirc.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O13 - WWW Prefix:
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O20 - Winlogon Notify: cbXRHwvv - cbXRHwvv.dll (file missing)
O20 - Winlogon Notify: __c0053089 - C:\WINDOWS\system32\__c0053089.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7881 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 15 April 2008 - 03:24 PM

Before we continue, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with it and post back the new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 15 April 2008 - 06:38 PM

Thanks. I tried this multiple times. I followed the directions exactly, and went through them each time. I even re-downloaded both of them of the programs. Each time I dropped it on top of it of combofix, the program acknownledged it happend; but, everytime the log came it was the same saying, WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

This is the file I downloaded and dropped with no success. XP-KB310994-SP2-Home-BootDisk-ENU.exe I'll repost the log just in case. Sorry..

ComboFix 08-04-15.1 - Derek Kuehn 2008-04-15 18:16:49.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.439 [GMT -5:00]
Running from: C:\Documents and Settings\Derek Kuehn\Desktop\Derek\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 18:13 . 2008-04-15 18:13 106,496 --a------ C:\WINDOWS\system32\cdalshef.exe
2008-04-15 01:33 . 2008-04-15 01:33 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-15 01:32 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-15 01:26 . 2008-04-15 01:26 <DIR> dr-h----- C:\MSOCache
2008-04-14 22:23 . 2008-04-14 22:23 90,112 --a------ C:\WINDOWS\system32\cjqvsfod.exe
2008-04-14 21:27 . 2008-04-14 21:27 <DIR> d-------- C:\Deckard
2008-04-13 17:52 . 2008-04-13 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hqvoxedm
2008-04-13 17:45 . 2008-04-13 18:19 <DIR> d-------- C:\Program Files\HTV
2008-04-08 01:17 . 2008-04-13 18:28 2,022 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 01:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 01:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 01:16 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 01:16 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 01:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 01:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 01:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-05 01:16 . 2008-04-05 01:16 <DIR> d-------- C:\Program Files\Razer
2008-04-05 01:16 . 2004-12-16 22:52 53,248 --a------ C:\WINDOWS\system32\razer.cpl
2008-04-04 01:23 . 2008-04-04 01:23 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Grisoft
2008-04-04 01:23 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-04 01:03 . 2008-04-04 11:17 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\.housecall6.6
2008-04-04 01:03 . 2008-04-04 01:03 0 --a------ C:\WINDOWS\PestPatrol5.INI
2008-04-04 00:59 . 2008-04-04 00:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 00:59 . 2008-04-04 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 00:56 . 2008-04-05 00:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 00:55 . 2008-04-04 00:56 <DIR> d-------- C:\Program Files\Trojan Remover
2008-04-04 00:55 . 2008-04-04 00:55 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Simply Super Software
2008-04-04 00:55 . 2008-04-04 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-04 00:55 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-04 00:55 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-04 00:55 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-04 00:55 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-04 00:55 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-04-04 00:53 . 2008-04-04 00:53 <DIR> d-------- C:\Program Files\CA
2008-04-03 23:45 . 2008-04-04 06:42 <DIR> d-------- C:\Program Files\distributed.net
2008-03-27 23:12 . 2008-04-14 22:23 <DIR> d-------- C:\Program Files\Steam
2008-03-17 00:22 . 2008-04-04 08:30 <DIR> d-------- C:\Program Files\DotA Gaming Network
2008-03-17 00:22 . 1996-05-03 21:05 28,672 --a------ C:\WINDOWS\system32\MsgHoo32.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-15 06:12 --------- d-----w C:\Program Files\Warcraft III
2008-04-15 02:30 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\Orbit
2008-04-14 07:28 4,340 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 04:37 --------- d-----w C:\Program Files\UltimateZip 2007
2008-04-09 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 16:15 --------- d-----w C:\Program Files\Winamp
2008-04-04 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-04 05:25 --------- d-----w C:\Program Files\Free Music Zilla
2008-04-04 05:10 --------- d-----w C:\Program Files\mIRC
2008-04-04 05:09 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\Uniblue
2008-03-26 01:21 --------- d-----w C:\Program Files\Orbitdownloader
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 05:08 --------- d-----w C:\Program Files\BitPim
2008-03-12 00:45 --------- d-----w C:\Program Files\Starcraft
2008-03-09 03:30 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\FMZilla
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-29 06:42 --------- d-----w C:\Program Files\Trend Micro
2008-02-29 06:41 --------- d-----w C:\Program Files\Opera
2008-02-29 05:53 --------- d-----w C:\Program Files\Sun
2008-02-29 05:53 --------- d-----w C:\Program Files\Java
2008-02-29 05:26 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 05:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 03:55 --------- d-----w C:\Program Files\Verizon Wireless
2008-02-27 02:55 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-27 02:54 --------- d-----w C:\Program Files\eRightSoft
2008-02-26 23:38 --------- d-----w C:\Program Files\XoftSpySE
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-19 05:51 --------- d-----w C:\Program Files\AIM6
2008-02-19 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-17 06:45 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\GRETECH
2008-02-17 06:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-02-17 06:43 --------- d-----w C:\Program Files\GRETECH
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-04 19:26 151,040 --sha-w C:\WINDOWS\system32\VistaUltm.dll
2007-09-09 01:26 56 --sh--r C:\WINDOWS\system32\90C7238670.sys
2007-03-11 22:37 88 --sh--r C:\WINDOWS\system32\FE8307644B.sys
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 8.22.12.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 13:17:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 23:12:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ABDEAB4-A0D0-481F-B4BC-66772EDC93C7}]
C:\WINDOWS\system32\rqRIyxUK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 15:43 1261384]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 16:20 339968 C:\WINDOWS\stsystra.exe]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:30 579584]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"RegistryMechanic"="" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-13 19:25 98304]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-03-27 18:10 874064]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"HTV Agent"="C:\Program Files\HTV\HTV.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-07 09:33 219136]

C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\802.11g Wireless LAN\Monitor.exe [2004-07-20 16:32:12 897024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
distributed.net client.lnk - C:\Program Files\distributed.net\dnetc.exe [2007-07-05 02:10:18 214528]
mirc.exe.lnk - C:\ircN\system\mirc.exe [2006-10-29 12:38:30 2023424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bEbLUTL6RY"= C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRHwvv]
cbXRHwvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0053089]
C:\WINDOWS\system32\__c0053089.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Derek Kuehn^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASM]
--a------ 2006-11-07 15:11 2500096 C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 16:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 10:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-13 19:25 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-06-13 19:25 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-11-21 21:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2005-11-22 09:34 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEx]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 23:12 1271032 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-09-05 15:43]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 06:51:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-05 06:17:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 18:19:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-15 18:20:52
ComboFix-quarantined-files.txt 2008-04-15 23:20:22
ComboFix2.txt 2008-04-15 23:06:56
ComboFix3.txt 2008-04-15 23:04:14
ComboFix4.txt 2008-04-15 13:22:33

Pre-Run: 25,664,311,296 bytes free
Post-Run: 25,647,374,336 bytes free
.
2008-04-09 19:26:01 --- E O F ---

Edited by NeRo9k, 15 April 2008 - 06:40 PM.


#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 16 April 2008 - 04:11 PM

Hmm, don't worry about that. :thumbsup:
Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 17 April 2008 - 12:32 PM

That was the longest scan ever. Here is the log.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-17 12:29:10
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.524 7.5.524 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@trafficmp[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@atdmt[2].txt
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Derek Kuehn\My Documents\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Derek Kuehn\Desktop\Derek\SmitfraudFix\Process.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@tribalfusion[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@ad.yieldmanager[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@advertising[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@zedo[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Derek Kuehn\Cookies\derek_kuehn@atwola[1].txt
00510234 Application/Dnet.A HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP294\A0062157.msi[unk_0045][dnetc.exe]
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Derek Kuehn\My Documents\SmitfraudFix\restart.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Derek Kuehn\Desktop\Derek\SmitfraudFix\restart.exe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0070456.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Derek Kuehn\Desktop\Derek\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP329\A0070535.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0070451.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0070388.EXE
01270136 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP294\A0062157.msi[unk_0045][dnetc.com]
01468210 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0067322.rbf
01468210 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP294\A0062157.msi[unk_0045][dnetc.scr]
02022671 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0068286.msi[unk_0045][dnetc.scr]
02022671 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\dnetc.scr
02022671 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0067323.msi[unk_0045][dnetc.scr]
02022671 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0068446.msi[unk_0045][dnetc.scr]
02022671 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\distributed.net\dnetc.scr
02023144 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0068286.msi[unk_0045][dnetc.com]
02023144 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0067323.msi[unk_0045][dnetc.com]
02023144 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\distributed.net\dnetc.com
02023144 Generic Trojan Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0068446.msi[unk_0045][dnetc.com]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Derek Kuehn\Desktop\Derek\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Derek Kuehn\My Documents\SmitfraudFix\Reboot.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0070381.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location *X
;===================================================================================================================================================================================
No C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HQVOXEDM\TOFATOBI.EXE *X
No C:\IRCN\SYSTEM\MIRC.EXE *X
No C:\PROGRAM FILES\DISTRIBUTED.NET\DNETC.EXE *X
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description *X
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 18 April 2008 - 03:33 PM

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start | All Programs | Accessories | System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Then please let me know how things are running now.
Thanksm
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 18 April 2008 - 09:21 PM

Well, none of those got fixed yet though.. I took a screen shot so you could see what the log looks like, the copy paste is pretty bad quality.

http://img170.imageshack.us/img170/4514/36799854uu4.png

It didn't Disenfect any of those. And this HQVOXEDM\TOFATOBI.EXE always try to access the network, I get a notice from my firewall a couple times a day?

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 19 April 2008 - 03:29 PM

Well, none of those got fixed yet though..

I am aware of that, they do not need deleting.

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

Folder::
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HQVOXEDM


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 19 April 2008 - 06:14 PM

Why is it that those don't need to be deleted?

ComboFix 08-04-15.1 - Derek Kuehn 2008-04-19 18:06:44.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.397 [GMT -5:00]
Running from: C:\Documents and Settings\Derek Kuehn\Desktop\Derek\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-16 16:28 . 2008-04-16 16:28 <DIR> d-------- C:\Program Files\Panda Security
2008-04-15 19:16 . 2008-04-15 19:16 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-15 19:15 . 2008-04-15 19:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-15 19:06 . 2008-04-15 19:06 <DIR> d-------- C:\OFFICE
2008-04-15 01:33 . 2008-04-15 19:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-15 01:32 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-15 01:26 . 2008-04-15 01:26 <DIR> dr-h----- C:\MSOCache
2008-04-14 21:27 . 2008-04-14 21:27 <DIR> d-------- C:\Deckard
2008-04-13 17:52 . 2008-04-13 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hqvoxedm
2008-04-13 17:45 . 2008-04-13 18:19 <DIR> d-------- C:\Program Files\HTV
2008-04-08 01:17 . 2008-04-13 18:28 2,022 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 01:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 01:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 01:16 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 01:16 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 01:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 01:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 01:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-05 01:16 . 2008-04-05 01:16 <DIR> d-------- C:\Program Files\Razer
2008-04-05 01:16 . 2004-12-16 22:52 53,248 --a------ C:\WINDOWS\system32\razer.cpl
2008-04-04 01:23 . 2008-04-04 01:23 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Grisoft
2008-04-04 01:23 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-04 01:03 . 2008-04-04 11:17 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\.housecall6.6
2008-04-04 01:03 . 2008-04-04 01:03 0 --a------ C:\WINDOWS\PestPatrol5.INI
2008-04-04 00:59 . 2008-04-04 00:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 00:59 . 2008-04-04 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 00:56 . 2008-04-05 00:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 00:55 . 2008-04-04 00:56 <DIR> d-------- C:\Program Files\Trojan Remover
2008-04-04 00:55 . 2008-04-04 00:55 <DIR> d-------- C:\Documents and Settings\Derek Kuehn\Application Data\Simply Super Software
2008-04-04 00:55 . 2008-04-04 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-04 00:55 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-04 00:55 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-04 00:55 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-04 00:55 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-04 00:55 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-04-04 00:53 . 2008-04-04 00:53 <DIR> d-------- C:\Program Files\CA
2008-04-03 23:45 . 2008-04-04 06:42 <DIR> d-------- C:\Program Files\distributed.net
2008-03-27 23:12 . 2008-04-14 22:23 <DIR> d-------- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 06:28 --------- d-----w C:\Program Files\Warcraft III
2008-04-17 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-17 01:44 --------- d-----w C:\Program Files\Starcraft
2008-04-15 02:30 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\Orbit
2008-04-14 07:28 4,340 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 04:37 --------- d-----w C:\Program Files\UltimateZip 2007
2008-04-09 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 16:15 --------- d-----w C:\Program Files\Winamp
2008-04-04 13:30 --------- d-----w C:\Program Files\DotA Gaming Network
2008-04-04 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-04 05:25 --------- d-----w C:\Program Files\Free Music Zilla
2008-04-04 05:10 --------- d-----w C:\Program Files\mIRC
2008-04-04 05:09 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\Uniblue
2008-03-26 01:21 --------- d-----w C:\Program Files\Orbitdownloader
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 05:08 --------- d-----w C:\Program Files\BitPim
2008-03-09 03:30 --------- d-----w C:\Documents and Settings\Derek Kuehn\Application Data\FMZilla
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-29 06:42 --------- d-----w C:\Program Files\Trend Micro
2008-02-29 06:41 --------- d-----w C:\Program Files\Opera
2008-02-29 05:53 --------- d-----w C:\Program Files\Sun
2008-02-29 05:53 --------- d-----w C:\Program Files\Java
2008-02-29 05:26 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 05:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 03:55 --------- d-----w C:\Program Files\Verizon Wireless
2008-02-27 02:55 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-27 02:54 --------- d-----w C:\Program Files\eRightSoft
2008-02-26 23:38 --------- d-----w C:\Program Files\XoftSpySE
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-19 05:51 --------- d-----w C:\Program Files\AIM6
2008-02-19 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-04 19:26 151,040 --sha-w C:\WINDOWS\system32\VistaUltm.dll
2007-09-09 01:26 56 --sh--r C:\WINDOWS\system32\90C7238670.sys
2007-03-11 22:37 88 --sh--r C:\WINDOWS\system32\FE8307644B.sys
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 8.22.12.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-16 00:16:14 110,592 ----a-w C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
+ 2008-04-16 00:16:14 64,088 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-04-16 00:16:14 229,376 ----a-w C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
+ 2008-04-16 00:16:14 4,096 ----a-w C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
+ 2008-04-16 00:16:13 223,800 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-04-16 00:16:14 16,384 ----a-w C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
- 2008-04-15 13:17:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 23:00:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 23:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 18:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-04-16 00:17:43 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-04-16 00:17:44 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-16 00:17:44 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-04-16 00:17:43 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-16 00:17:44 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-16 00:17:44 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-16 00:17:44 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-16 00:17:44 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-16 00:17:43 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-16 00:17:43 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-04-16 00:17:44 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-16 00:17:43 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-16 00:17:43 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-04-15 13:17:32 315,560 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-16 17:27:33 318,744 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2002-08-21 10:10:16 204,800 ----a-w C:\WINDOWS\system32\INKED.DLL
- 2008-04-15 06:37:12 54,280 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-16 00:18:41 54,280 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-15 06:37:12 384,596 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-16 00:18:41 384,596 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 1998-03-25 02:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
+ 2003-06-18 22:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2003-06-18 22:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2003-06-18 22:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2003-06-18 22:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 1999-11-24 23:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
+ 2002-08-21 10:13:12 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ABDEAB4-A0D0-481F-B4BC-66772EDC93C7}]
C:\WINDOWS\system32\rqRIyxUK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 15:43 1261384]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 16:20 339968 C:\WINDOWS\stsystra.exe]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:30 579584]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"RegistryMechanic"="" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-13 19:25 98304]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-03-27 18:10 874064]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"HTV Agent"="C:\Program Files\HTV\HTV.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-07 09:33 219136]

C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\802.11g Wireless LAN\Monitor.exe [2004-07-20 16:32:12 897024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
distributed.net client.lnk - C:\Program Files\distributed.net\dnetc.exe [2007-07-05 02:10:18 214528]
mirc.exe.lnk - C:\ircN\system\mirc.exe [2006-10-29 12:38:30 2023424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bEbLUTL6RY"= C:\Documents and Settings\All Users\Application Data\hqvoxedm\tofatobi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRHwvv]
cbXRHwvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0053089]
C:\WINDOWS\system32\__c0053089.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Derek Kuehn^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\Derek Kuehn\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASM]
--a------ 2006-11-07 15:11 2500096 C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 16:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 10:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-13 19:25 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-06-13 19:25 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-11-21 21:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2005-11-22 09:34 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEx]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 23:12 1271032 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-09-05 15:43]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 06:51:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-05 06:17:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 18:09:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-19 18:11:07
ComboFix-quarantined-files.txt 2008-04-19 23:10:35
ComboFix2.txt 2008-04-15 23:20:53
ComboFix3.txt 2008-04-15 23:06:56
ComboFix4.txt 2008-04-15 23:04:14
ComboFix5.txt 2008-04-15 13:22:33

Pre-Run: 23,530,872,832 bytes free
Post-Run: 23,593,021,440 bytes free
.
2008-04-16 18:46:29 --- E O F ---

I checked after the scan and it's still there, when I try to delete it say's access denied: ( Sorry for all the trouble.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 20 April 2008 - 03:08 PM

Why is it that those don't need to be deleted?

Most of them are false positives, flushing System Restore will get rid of the rest.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Documents and Settings\All Users\Application Data\hqvoxedm


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 20 April 2008 - 07:12 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\All Users\Application Data\hqvoxedm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Now I created a new restore point. Thanks for all your help!

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 22 April 2008 - 02:49 PM

Has the folder stayed away now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 NeRo9k

NeRo9k
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 22 April 2008 - 04:19 PM

Yes, thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users