Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Kind Of Infection


  • This topic is locked This topic is locked
4 replies to this topic

#1 AdamWoodard

AdamWoodard

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 16 April 2008 - 02:31 PM

im new to this and dunno how to proceed, ive definately got something on my computer that shouldnt be there, ive done a scan for viruses and spyware and removed them all but my pc is still doing some weird things like advertising on my desktop, i cant alter the background thru the control panel and when i remove the internet all i get is a blue background, on just after i login i get a message saying that a certain file cannot be found.


Deckard's System Scanner v20071014.68
Run by Adam Woodard on 2008-04-16 21:18:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-04-16 19:18:59 UTC - RP580 - Deckard's System Scanner Restore Point
86: 2008-04-16 14:48:15 UTC - RP579 - Removed Age of Empires III
85: 2008-04-16 09:42:54 UTC - RP578 - Software Distribution Service 3.0
84: 2008-04-14 15:56:40 UTC - RP577 - System Checkpoint
83: 2008-04-11 18:09:11 UTC - RP576 - System Checkpoint


-- First Restore Point --
1: 2008-03-29 06:48:03 UTC - RP494 - Installed Medieval II Total War


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Adam Woodard.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20:01, on 16/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\Dit.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam Woodard\Desktop\dss.exe
C:\HIJACK~1\Adam Woodard.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-homepage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: superiorads browser optimizer - {00384512-fbb1-879f-3285-1bacacd3c164} - C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8285F812-E4A9-4FCA-B7D9-D73F54EACCC5} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - (no file)
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [inetsrv] C:\WINDOWS\system32\inetsrv.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}\starter.exe
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\J4GV3ATP\install_asm_en[1].exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\W1GVZ54D\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [BM83431d68] Rundll32.exe "C:\WINDOWS\system32\igqajtkt.dll",s
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll" DllInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFormat.lnk = C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203001619890
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9964 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 jfdcd - c:\docume~1\adamwo~1\locals~1\temp\jfdcd.sys (file missing)
S3 SE26bus (Sony Ericsson Device 038 Driver driver (WDM)) - c:\windows\system32\drivers\se26bus.sys <Not Verified; MCCI; Sony Ericsson Device 038 Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Htdcdtdwnan -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI Device
Device ID: PCI\VEN_1106&DEV_3288&SUBSYS_0C87105B&REV_10\3&2C8B7305&0&08
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_1106&DEV_3288&SUBSYS_0C87105B&REV_10\3&2C8B7305&0&08
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-16 20:59:01 268 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-23 23:23:50 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-16 17:33:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-16 14:20:15 0 d-------- C:\Program Files\Spyware Doctor
2008-04-16 11:23:26 0 d-------- C:\hijackthis
2008-04-16 10:08:00 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\WinAnonymous
2008-04-15 23:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAnonymous
2008-04-15 17:56:45 8704 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-09 23:26:29 40960 --a------ C:\WINDOWS\system32\opnkhggf.dll
2008-04-08 22:53:57 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\AVG7
2008-04-08 22:53:47 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 22:53:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 22:53:16 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-08 14:55:06 328704 --a------ C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll
2008-04-02 17:24:20 0 d-------- C:\Other
2008-03-31 20:04:42 0 d-------- C:\Program Files\CPV
2008-03-30 20:51:30 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\PC Tools
2008-03-30 20:50:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 20:50:38 0 d-------- C:\Program Files\Common Files\PC Tools
2008-03-30 20:50:31 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-03-30 20:50:31 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-30 20:27:02 0 d-------- C:\Documents and Settings\Adam Woodard\Download
2008-03-30 13:07:17 0 dr------- C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-03-30 13:07:17 0 d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-03-30 12:53:32 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-30 11:56:41 0 d-------- C:\WINDOWS\system32\nGpxx07
2008-03-29 08:47:49 167247 --ahs---- C:\WINDOWS\system32\lVFOYcfe.ini2
2008-03-29 08:41:52 0 d-------- C:\WINDOWS\system32\nGpxx05
2008-03-29 08:41:52 0 d-------- C:\Temp
2008-03-26 19:22:30 245 --a------ C:\Documents and Settings\Adam Woodard\2387.bat
2008-03-26 19:19:40 345 --a------ C:\Documents and Settings\Adam Woodard\pp.exe
2008-03-24 20:17:27 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\My Games
2008-03-24 14:06:05 0 d-------- C:\Program Files\dbar
2008-03-24 14:06:05 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}
2008-03-24 13:20:30 0 d-------- C:\Program Files\winvi
2008-03-23 23:23:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-23 16:05:25 62464 --a------ C:\WINDOWS\system32\bszip.dll <Not Verified; BigSpeedSoft; BigSpeed Zip DLL>
2008-03-23 15:57:54 84761 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-03-23 15:56:23 0 d-------- C:\Program Files\Dcads Games Collection
2008-03-23 15:38:55 0 d-------- C:\Program Files\MediaTV
2008-03-23 15:31:43 69632 --a------ C:\WINDOWS\system32\GkSui18.EXE
2008-03-23 15:30:29 0 d-------- C:\Nimo Codec pack v4.32
2008-03-23 15:28:53 0 d-------- C:\Program Files\The Playa
2008-03-23 15:28:49 0 d-------- C:\Program Files\NimoCodec Pack
2008-03-23 15:28:49 0 d-------- C:\Program Files\DivXCodec
2008-03-23 15:27:23 56832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-03-23 15:27:23 27648 --a------ C:\WINDOWS\system32\ir50_lcs.dll <Not Verified; Intel Corporation.; Intel Indeo® video 5.0 LC>
2008-03-23 15:27:23 143872 --a------ C:\WINDOWS\system32\iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-03-17 10:25:33 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-04-16 17:15:28 0 d-------- C:\Program Files\Common Files
2008-04-16 16:53:43 0 d-------- C:\Program Files\9Dragons
2008-04-16 16:51:58 0 d-------- C:\Program Files\Microsoft Games
2008-04-16 16:46:25 0 d-------- C:\Program Files\EA GAMES
2008-04-16 16:42:54 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\Adobe
2008-04-16 15:04:51 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\Ability
2008-04-16 10:12:52 68593 --a------ C:\Documents and Settings\Adam Woodard\Application Data\update.log
2008-04-12 21:46:05 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\U3
2008-04-06 19:45:06 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\LimeWire
2008-03-23 23:23:48 0 d-------- C:\Program Files\Apple Software Update
2008-03-15 15:07:56 24576 --a------ C:\tfo
2008-03-14 12:22:14 0 d-------- C:\Program Files\LimeWire
2008-03-06 21:52:47 0 d-------- C:\Program Files\MSXML 4.0
2008-03-06 00:54:58 0 d-------- C:\Documents and Settings\Adam Woodard\Application Data\Google
2008-03-06 00:54:18 0 d-------- C:\Program Files\Google
2008-03-05 07:34:31 0 d-------- C:\Program Files\Messenger
2008-02-21 18:03:20 0 d-------- C:\Program Files\GameSpy Arcade


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00384512-fbb1-879f-3285-1bacacd3c164}]
08/04/2008 14:55 328704 --a------ C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8285F812-E4A9-4FCA-B7D9-D73F54EACCC5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
14/11/2007 15:36 1486848 --a------ C:\Program Files\dbar\Deskbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/05/2007 00:03]
"nwiz"="nwiz.exe" [11/05/2007 00:03 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [10/06/2005 16:20]
"inetsrv"="C:\WINDOWS\system32\inetsrv.exe" []
"Dit"="Dit.exe" [22/04/2003 16:20 C:\WINDOWS\Dit.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 09:36]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 16:17]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/05/2007 00:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"dbar_starter"="C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}\starter.exe" []
"AntiSpywareMaster"="C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\J4GV3ATP\install_asm_en[1].exe" []
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [05/03/2008 09:37]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [16/04/2008 12:12]
"SBI"="C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\W1GVZ54D\installer_sbd_en[1].exe" []
"BM83431d68"="C:\WINDOWS\system32\igqajtkt.dll" []
"spa_start"="C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll" [08/04/2008 14:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [19/05/2005 18:38]
"PowerBar"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [14/02/2008 17:57]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 15:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [01/04/2006 21:30:27]
iFormat.lnk - C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe [25/09/2006 05:55:12]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [11/07/1997 01:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [11/07/1997 01:00:00]
Pinnacle Scheduler.lnk - C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [04/10/2005 08:38:41]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [21/09/2005 14:19:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\efcYOFVl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c237766-2ebf-11db-8914-806d6172696f}]
AutoRun\command- D:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d098bec-c6fd-11db-bdb5-806d6172696f}]
AutoRun\command- F:\.\Recycled\Driveinfo.exe
Open\Command- F:\.\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d91e06-3932-11db-adb7-0013d4646592}]
AutoRun\command- F:\.\Recycled\Driveinfo.exe
Open\Command- F:\.\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77454bdc-f353-11dc-9c50-00016c004ea7}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{806b83de-4684-11db-ae0a-806d6172696f}]
AutoRun\command- F:\.\Recycled\Driveinfo.exe
Open\Command- F:\.\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95f14153-c9b2-11dc-9c09-00016c004ea7}]
AutoRun\command- G:\.\Recycled\Driveinfo.exe
Open\Command- G:\.\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce30a526-a0e4-11db-ae9c-0013d4646592}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de9c2c13-4682-11db-adc5-0013d4646592}]
AutoRun\command- F:\.\Recycled\Driveinfo.exe
Open\Command- F:\.\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1442de2-7f3f-11dc-9b88-806d6172696f}]
AutoRun\command- E:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-04-16 21:21:00 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20:01, on 16/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\Dit.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam Woodard\Desktop\dss.exe
C:\HIJACK~1\Adam Woodard.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-homepage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: superiorads browser optimizer - {00384512-fbb1-879f-3285-1bacacd3c164} - C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8285F812-E4A9-4FCA-B7D9-D73F54EACCC5} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - (no file)
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [inetsrv] C:\WINDOWS\system32\inetsrv.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}\starter.exe
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\J4GV3ATP\install_asm_en[1].exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\W1GVZ54D\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [BM83431d68] Rundll32.exe "C:\WINDOWS\system32\igqajtkt.dll",s
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll" DllInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFormat.lnk = C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203001619890
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9964 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:56 PM

Posted 16 April 2008 - 05:44 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 AdamWoodard

AdamWoodard
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 17 April 2008 - 01:28 PM

thanks very much for helping, here is the log...

ComboFix 08-04-16.5 - Adam Woodard 2008-04-17 20:21:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT 2:00]
Running from: C:\Documents and Settings\Adam Woodard\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Adam Woodard\err.log
C:\WINDOWS\b152.exe.bin
C:\WINDOWS\b153.exe.bin
C:\WINDOWS\system32\_000005_.tmp.dll
.
---- Previous Run -------
.
C:\Program Files\CPV
C:\WINDOWS\BM83431d68.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\lVFOYcfe.ini
C:\WINDOWS\system32\lVFOYcfe.ini2
C:\WINDOWS\system32\nGpxx05
C:\WINDOWS\system32\nGpxx07
C:\WINDOWS\system32\yidyhipl.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-16 21:18 . 2008-04-16 21:18 <DIR> d-------- C:\Deckard
2008-04-16 17:33 . 2008-04-16 17:34 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-16 14:20 . 2008-04-16 17:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-16 14:20 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-16 14:20 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-16 14:20 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-16 14:20 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-16 11:23 . 2008-04-16 21:20 <DIR> d-------- C:\hijackthis
2008-04-16 10:08 . 2008-04-16 10:08 <DIR> d-------- C:\Documents and Settings\Adam Woodard\Application Data\WinAnonymous
2008-04-15 23:19 . 2008-04-15 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinAnonymous
2008-04-15 17:56 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-15 17:56 . 2004-10-07 13:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-09 23:26 . 2008-04-09 23:26 40,960 --a------ C:\WINDOWS\system32\opnkhggf.dll
2008-04-08 22:53 . 2008-04-08 22:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 22:53 . 2008-04-08 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 22:53 . 2008-04-09 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-08 22:53 . 2008-04-17 16:06 <DIR> d-------- C:\Documents and Settings\Adam Woodard\Application Data\AVG7
2008-04-08 20:15 . 2008-04-08 20:15 63,882 --a------ C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll-uninst.exe
2008-04-08 14:55 . 2008-04-08 14:55 328,704 --a------ C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll
2008-04-02 17:24 . 2008-04-02 17:24 <DIR> d-------- C:\Other
2008-03-30 21:21 . 2008-03-30 22:58 1,583,697 ---hs---- C:\WINDOWS\system32\hafvnckd.ini
2008-03-30 20:51 . 2008-03-30 20:51 <DIR> d-------- C:\Documents and Settings\Adam Woodard\Application Data\PC Tools
2008-03-30 20:50 . 2008-04-17 20:18 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-03-30 20:50 . 2008-03-30 20:50 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-03-30 20:50 . 2008-04-17 20:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 20:50 . 2008-03-30 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-30 20:50 . 2007-12-06 16:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-03-30 20:50 . 2007-12-06 16:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-03-30 20:50 . 2008-02-12 11:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-03-30 20:27 . 2008-03-30 20:27 <DIR> d-------- C:\Documents and Settings\Adam Woodard\Download
2008-03-30 13:07 . 2008-03-30 13:07 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-03-30 13:07 . 2008-03-30 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-03-30 12:53 . 2008-03-30 12:53 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-29 21:14 . 2008-03-30 20:25 1,583,913 ---hs---- C:\WINDOWS\system32\tscmxlnh.ini
2008-03-29 08:41 . 2008-03-29 08:41 <DIR> d-------- C:\Temp\cXzz9
2008-03-29 08:41 . 2008-03-29 08:41 <DIR> d-------- C:\Temp
2008-03-26 19:22 . 2008-03-26 19:22 245 --a------ C:\Documents and Settings\Adam Woodard\2387.bat
2008-03-26 19:19 . 2008-03-26 19:19 345 --a------ C:\Documents and Settings\Adam Woodard\pp.exe
2008-03-24 20:17 . 2008-03-24 20:17 <DIR> d-------- C:\Documents and Settings\Adam Woodard\Application Data\My Games
2008-03-24 14:06 . 2008-03-24 14:06 <DIR> d-------- C:\Program Files\dbar
2008-03-24 14:06 . 2008-03-24 14:06 <DIR> d-------- C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}
2008-03-24 13:20 . 2008-04-03 11:22 <DIR> d-------- C:\Program Files\winvi
2008-03-23 23:23 . 2008-03-23 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-23 15:57 . 2008-03-23 15:57 84,761 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-03-23 15:56 . 2008-03-23 15:56 <DIR> d-------- C:\Program Files\Dcads Games Collection
2008-03-23 15:39 . 2008-03-23 15:39 327 --a------ C:\WINDOWS\VivTV.ini
2008-03-23 15:38 . 2008-03-23 15:38 <DIR> d-------- C:\Program Files\MediaTV
2008-03-23 15:31 . 2000-09-25 02:54 69,632 --a------ C:\WINDOWS\system32\GkSui18.EXE
2008-03-23 15:30 . 2008-03-23 15:30 <DIR> d-------- C:\Nimo Codec pack v4.32
2008-03-23 15:28 . 2008-03-23 15:28 <DIR> d-------- C:\Program Files\The Playa
2008-03-23 15:28 . 2008-03-23 16:08 <DIR> d-------- C:\Program Files\NimoCodec Pack
2008-03-23 15:28 . 2008-03-23 15:28 <DIR> d-------- C:\Program Files\DivXCodec
2008-03-23 15:27 . 1997-08-27 09:53 391,168 --a------ C:\WINDOWS\system32\i263_32.drv
2008-03-23 15:27 . 1998-02-13 14:30 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2008-03-23 15:27 . 1997-06-13 08:56 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-03-23 15:27 . 1997-11-06 12:53 27,648 --a------ C:\WINDOWS\system32\ir50_lcs.dll
2008-03-23 15:27 . 2008-03-23 15:27 5,952 --a------ C:\WINDOWS\system32\CDUninst.isu
2008-03-17 10:25 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-16 14:53 --------- d-----w C:\Program Files\9Dragons
2008-04-16 14:51 --------- d-----w C:\Program Files\Microsoft Games
2008-04-16 14:46 --------- d-----w C:\Program Files\EA GAMES
2008-04-16 13:04 --------- d-----w C:\Documents and Settings\Adam Woodard\Application Data\Ability
2008-04-12 19:46 --------- d-----w C:\Documents and Settings\Adam Woodard\Application Data\U3
2008-04-06 17:45 --------- d-----w C:\Documents and Settings\Adam Woodard\Application Data\LimeWire
2008-03-23 21:23 --------- d-----w C:\Program Files\Apple Software Update
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 10:22 --------- d-----w C:\Program Files\LimeWire
2008-03-06 19:52 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-05 22:54 --------- d-----w C:\Program Files\Google
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-21 16:03 --------- d-----w C:\Program Files\GameSpy Arcade
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\SETD.tmp
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\SET6.tmp
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\SET7.tmp
2005-03-31 19:17 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

------- Sigcheck -------

2005-09-28 15:39 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00384512-fbb1-879f-3285-1bacacd3c164}]
2008-04-08 14:55 328704 --a------ C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
2007-11-14 15:36 1486848 --a------ C:\Program Files\dbar\Deskbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2005-05-19 18:38 1957888]
"PowerBar"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-14 17:57 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 00:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 00:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-06-10 16:20 1397760]
"Dit"="Dit.exe" [2003-04-22 16:20 61440 C:\WINDOWS\Dit.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-11 00:03 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"dbar_starter"="C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}\starter.exe" [ ]
"AntiSpywareMaster"="C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\J4GV3ATP\install_asm_en[1].exe" [ ]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 12:12 579584]
"SBI"="C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\W1GVZ54D\installer_sbd_en[1].exe" [ ]
"BM83431d68"="C:\WINDOWS\system32\igqajtkt.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 15:18 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-08 22:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-01 21:30:27 113664]
iFormat.lnk - C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe [2006-09-25 05:55:12 811008]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 01:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 01:00:00 51984]
Pinnacle Scheduler.lnk - C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [2005-10-04 08:38:41 245760]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2005-09-21 14:19:10 585728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"C:\\Documents and Settings\\Adam Woodard\\My Documents\\Games\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\SIERRA\\EmperorRotMK\\Emperor.exe"=
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"C:\\Documents and Settings\\Adam Woodard\\My Documents\\Games\\EE3\\Empire Earth.exe"=
"C:\\Documents and Settings\\Adam Woodard\\My Documents\\Games\\HL2\\hl.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 19:52]
S3 jfdcd;jfdcd;C:\DOCUME~1\ADAMWO~1\LOCALS~1\Temp\jfdcd.sys []
S3 STVqx3;Intel Play QX3 Microscope;C:\WINDOWS\system32\drivers\STVqx3.sys [2001-04-12 13:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77454bdc-f353-11dc-9c50-00016c004ea7}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 21:23:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-17 17:59:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 20:22:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 20:23:43
ComboFix-quarantined-files.txt 2008-04-17 18:23:35

Pre-Run: 34,461,569,024 bytes free
Post-Run: 34,447,933,440 bytes free
.
2008-04-16 15:13:07 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:56 PM

Posted 17 April 2008 - 07:30 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
jfdcd

Folder::
C:\Program Files\dbar
C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}
C:\Temp\cXzz9
C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-03-30 13:07 . 2008-03-30 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-03-30 12:53 . 2008-03-30 12:53 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon

Dirlook::
C:\Program Files\winvi

File::
C:\DOCUME~1\ADAMWO~1\LOCALS~1\Temp\jfdcd.sys
C:\WINDOWS\system32\igqajtkt.dll
C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\W1GVZ54D\installer_sbd_en[1].exe
C:\Documents and Settings\Adam Woodard\Application Data\Deskbar_{06CD14FF-E233-404b-AA33-EFB2B78DBFCD}\starter.exe
C:\Documents and Settings\Adam Woodard\Local Settings\Temporary Internet Files\Content.IE5\J4GV3ATP\install_asm_en[1].exe
C:\WINDOWS\system32\{03c72349-117e-15d6-0f49-d4c5cdc8f9ab}.dll
C:\Documents and Settings\Adam Woodard\2387.bat
C:\Documents and Settings\Adam Woodard\pp.exe
C:\WINDOWS\system32\tscmxlnh.ini
C:\WINDOWS\system32\hafvnckd.ini
C:\WINDOWS\system32\opnkhggf.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dbar_starter"=-
"AntiSpywareMaster"=-
"SBI"=-
"BM83431d68"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00384512-fbb1-879f-3285-1bacacd3c164}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:56 PM

Posted 12 May 2008 - 09:08 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users