Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde(i Think So) Xp Home


  • This topic is locked This topic is locked
25 replies to this topic

#1 jacksnake

jacksnake

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 17 April 2008 - 01:21 PM

Hello all,

Sorry; my first (second) post is a request, but things are desperate, so I hope you will understand.

Symptoms: cannot use copy paste in Window Explorer /Firefox; cannot drag-drop. IE doesn't open at all; so cannot perform the Kaspersky online scan (its windows IE only)

Downloaded vundofix, avast, anti-malware but all give RPC un-available error.. so cannot launch any of the programs..also downloaded the MoveIt.exe file but the targetted files cannot be deleted after any number of attempts because they have attached themselves to the following processes:

c:\\windows\system32\khfffghh.dll (getting loaded by lsass.exe)
c:\\windows\system32\awtsssrs.dll (getting loaded by winlogon.exe)

I am sorry I didnt know i had to run combofix under supervision; I downloaded, ran it and it gave me a log file; after that i typed combofix /u in start -> run and it was un-installed. I was googl-ing in despair and I found the forums

In case it matters, I did run Kasperky Anti-virus (local copy) on my machine, PestPatrol and CureIt and these scans removed a bunch of stuff; I did make sure that none of the deleted files were system files. Also my windows boots up in like 15 mins against the usual 1 minute and after the log-on it takes forever for the icons to appear; there is just a wall-paper on the screen till the icons appear; it also looks like fewer services are being loaded but that is just speculation.

I had posted earlier in a different forum (topic# 142325) but I was suggested to post here; sorry about that, as stated above, I cannot run the Kaspersky scanner because IE doesnt work anymore of my machine; I ran the DSS checker in normal mode and the log is below... I really really appreciate all the help you guys are doing. I retyped all the content from the prev. post to here because the copy-paste is not working anymore *tired* so if any one could please help me out at your earliest convinience; I will be thankful because this is my main work machine and I am basically stalled now...

my best regards,
- jack



Deckard's System Scanner v20071014.68
Run by MANOJ on 2008-04-17 13:51:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 1.15 GiB (less than 15%) free.


-- HijackThis (run as MANOJ.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:56 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\MANOJ\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MANOJ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E5EE0B0-8961-403C-98F4-6B73D7BB3E65} - C:\WINDOWS\system32\khfffghh.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\awtsssrs.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1997950503-1101888196-647582370-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1997950503-1101888196-647582370-1006\..\Run: [QNPlus] (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-1997950503-1101888196-647582370-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1997950503-1101888196-647582370-1006 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - S-1-5-21-1997950503-1101888196-647582370-1006 Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: DiaryOne: Save full text - C:\Program Files\DiaryOne\Script\fullcatcher.htm
O8 - Extra context menu item: DiaryOne: Save selected text - C:\Program Files\DiaryOne\Script\catcher.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/rit/support/plugins/ebraryRdr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124139609609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124139662296
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awtsssrs - C:\WINDOWS\SYSTEM32\awtsssrs.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Appz\appz a-q\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Informatica Repository Server (PmRepServer) - Unknown owner - C:\Program Files\Informatica PowerCenter 7.1.2\RepositoryServer\bin\pmrepserver.exe
O23 - Service: Informatica (Powermart) - Unknown owner - C:\Program Files\Informatica PowerCenter 7.1.2\Server\bin\pmserver.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 11783 bytes

-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 01:41:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 01:41:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 01:28:16 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 01:28:16 2540 --a------ C:\WINDOWS\unins000.dat
2008-04-17 00:54:04 302405 --ahs---- C:\WINDOWS\system32\hhgfffhk.ini2
2008-04-16 01:36:39 396267 --a------ C:\WINDOWS\system32\khfffghh.dll
2008-04-16 01:25:47 34099 --a------ C:\WINDOWS\system32\awtsssrs.dll
2008-04-13 16:22:54 0 d-------- C:\Documents and Settings\MANOJ\Application Data\Ubisoft
2008-04-10 21:11:22 0 d-------- C:\Documents and Settings\All Users\Adobe
2008-04-10 20:59:58 0 d--h----- C:\Program Files\Zero G Registry
2008-04-10 20:59:14 0 d--h----- C:\Documents and Settings\MANOJ\InstallAnywhere
2008-04-03 02:55:08 0 d-------- C:\Documents and Settings\MANOJ\workspace
2008-03-30 19:19:13 0 d-------- C:\links
2008-03-30 19:18:12 0 d-------- C:\Documents and Settings\MANOJ\Application Data\WinRAR
2008-03-30 19:05:12 0 d-------- C:\cryptload
2008-03-26 20:23:58 110592 --a------ C:\iperf.exe
2008-03-26 20:18:48 0 d-------- C:\Documents and Settings\MANOJ\Application Data\FileZilla
2008-03-26 20:18:03 0 d-------- C:\Program Files\FileZilla FTP Client
2008-03-23 16:54:34 0 d-------- C:\WINDOWS\system32\AGEIA
2008-03-23 16:54:34 0 d-------- C:\Program Files\AGEIA Technologies
2008-03-23 16:53:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 18:50:51 12800 -----n--- C:\WINDOWS\system32\drivers\usb8023x.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 18:50:51 30592 -----n--- C:\WINDOWS\system32\drivers\rndismpx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 18:50:32 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-20 18:46:21 104576 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>
2008-03-20 07:11:25 0 d--hs---- C:\Documents and Settings\MANOJ\Recent
2008-03-19 21:43:15 20992 --a------ C:\WINDOWS\system32\drivers\motmodem.sys <Not Verified; Motorola; Motorola USB Modem or Port>
2008-03-19 21:43:14 40832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys <Not Verified; Motorola Inc; Motorola USB Composite/Flash Driver>
2008-03-19 21:36:30 0 d-------- C:\Program Files\Common Files\Motorola Shared


-- Find3M Report ---------------------------------------------------------------

2008-04-17 13:47:11 0 d-------- C:\Program Files\PestPatrol
2008-04-17 13:26:13 0 d-------- C:\Program Files\Trend Micro
2008-04-17 02:28:37 0 d-------- C:\Program Files\Trojan Remover
2008-04-17 01:56:30 0 d-------- C:\Documents and Settings\MANOJ\Application Data\ColorImpact3
2008-04-16 03:33:16 0 d-------- C:\Program Files\Common Files
2008-04-13 16:04:23 0 d-------- C:\Program Files\Ubisoft
2008-04-13 16:04:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 15:45:31 0 d-------- C:\Program Files\Winamp
2008-03-26 21:01:57 0 d-------- C:\Program Files\Notepad++
2008-03-26 20:31:00 0 d-------- C:\Documents and Settings\MANOJ\Application Data\Adobe
2008-03-20 18:53:56 2508 --a------ C:\Documents and Settings\MANOJ\Application Data\$_hpcst$.hpc
2008-03-19 20:44:08 0 d-------- C:\Documents and Settings\MANOJ\Application Data\Notepad++
2008-03-17 18:58:27 0 d-------- C:\Documents and Settings\MANOJ\Application Data\dvdcss
2008-03-10 22:49:30 0 d-------- C:\Documents and Settings\MANOJ\Application Data\ATI
2008-03-10 22:47:47 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-03-10 22:44:30 0 d-------- C:\Program Files\ATI Technologies
2008-03-07 03:11:19 0 d-------- C:\Program Files\TESTOUT
2008-03-07 02:04:14 0 d-------- C:\Program Files\Ghostgum
2008-03-07 02:03:18 0 d-------- C:\Program Files\gs
2008-03-07 01:52:27 0 d-------- C:\Program Files\TeXnicCenter
2008-03-07 01:49:25 0 d-------- C:\Program Files\MiKTeX 2.5
2008-03-06 23:42:17 0 d-------- C:\Program Files\THQ
2008-03-02 12:32:41 75776 --ah----- C:\Documents and Settings\MANOJ\Application Data\rbqt450.DLL
2008-03-02 12:32:41 64512 --ah----- C:\Documents and Settings\MANOJ\Application Data\rbap450.dll
2008-03-02 12:32:41 50688 --ah----- C:\Documents and Settings\MANOJ\Application Data\MBSWinPlugin.dll
2008-03-02 12:32:41 26624 --ah----- C:\Documents and Settings\MANOJ\Application Data\MBSUsernamePlugin.dll
2008-03-02 12:32:41 31744 --ah----- C:\Documents and Settings\MANOJ\Application Data\MBSQTFileTransferPlugin.dll
2008-03-02 12:32:41 18432 --ah----- C:\Documents and Settings\MANOJ\Application Data\EHEncrypt.dll
2008-03-02 12:32:40 26112 --ah----- C:\Documents and Settings\MANOJ\Application Data\MBSRegistrationPlugin.dll
2008-03-02 12:32:40 31232 --ah----- C:\Documents and Settings\MANOJ\Application Data\MBSProcessPlugin.dll
2008-03-02 12:32:40 34304 --ah----- C:\Documents and Settings\MANOJ\Application Data\MBSCalcPlugin.dll
2008-03-02 12:32:38 56832 --ah----- C:\Documents and Settings\MANOJ\Application Data\rbmysql450.DLL
2008-03-02 12:32:38 29184 --ah----- C:\Documents and Settings\MANOJ\Application Data\BoxControl.DLL
2008-02-25 23:12:07 372736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2008-02-25 23:10:59 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2008-02-25 23:10:53 299520 --a------ C:\WINDOWS\system32\ati2dvag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Display Driver>
2008-02-25 23:02:15 172032 --a------ C:\WINDOWS\system32\atipdlxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-02-25 23:02:02 126976 --a------ C:\WINDOWS\system32\Oemdspif.dll <Not Verified; ATI Technologies, Inc.; ATI Driver Interface Component>
2008-02-25 23:01:53 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe <Not Verified; ATI Technologies, Inc.; ATI Default Resolution Update>
2008-02-25 23:01:44 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll <Not Verified; ATI Technologies, Inc.; ATI External Device Utility>
2008-02-25 23:01:31 126976 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-02-25 23:00:02 520192 --a------ C:\WINDOWS\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-02-25 22:59:23 9797632 --a------ C:\WINDOWS\system32\atioglx2.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-02-25 22:58:43 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-02-25 22:49:29 3176480 --a------ C:\WINDOWS\system32\ati3duag.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon DirectX Universal Driver>
2008-02-25 22:41:47 1755264 --a------ C:\WINDOWS\system32\ativvaxx.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon Video Acceleration Universal Driver>
2008-02-25 22:41:28 887724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-02-25 22:29:25 46080 --a------ C:\WINDOWS\system32\amdpcom32.dll <Not Verified; Advanced Micro Devices, Inc.; Advanced Micro Devices, Inc. Radeon PCOM Universal Driver>
2008-02-25 22:25:32 393216 --a------ C:\WINDOWS\system32\atikvmag.dll <Not Verified; ATI Technologies Inc.; Virtual Command And Memory Manager>
2008-02-25 22:23:24 17408 --a------ C:\WINDOWS\system32\atitvo32.dll <Not Verified; ATI Technologies Inc.; ATI RageTheater/ImpacTV COM interface>
2008-02-25 22:21:36 5439488 --a------ C:\WINDOWS\system32\atioglxx.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-02-25 22:19:20 167936 --a------ C:\WINDOWS\system32\atiok3x2.dll <Not Verified; ATI Technologies Inc.; Ring 0 x2 Component>
2008-02-25 22:16:49 520192 --a------ C:\WINDOWS\system32\ati2cqag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-02-25 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-02-14 13:35:13 166450 --a------ C:\WINDOWS\system32\atiicdxx.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E5EE0B0-8961-403C-98F4-6B73D7BB3E65}]
04/16/2008 01:36 AM 396267 --a------ C:\WINDOWS\system32\khfffghh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
04/16/2008 01:25 AM 34099 --a------ C:\WINDOWS\system32\awtsssrs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" []
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" []
"Logitech Utility"="Logi_MwX.Exe" [12/11/2003 05:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 10:57 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [03/09/2007 07:50 PM]
"VIPv3_Auto_Update"="" []
"Vistadrv"="" []
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [07/04/2007 03:59 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [11/15/2004 11:49 AM]
"PestPatrolCL"="" []
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [04/02/2004 03:11 PM]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [01/10/2005 09:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"QNPlus"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\awtsssrs.dll [04/16/2008 01:25 AM 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsssrs]
awtsssrs.dll 04/16/2008 01:25 AM 34099 C:\WINDOWS\SYSTEM32\awtsssrs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= C:\WINDOWS\system32\khfffghh


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc08f78-662c-11da-8b9b-0011118a7653}]
AutoRun\command- F:\Autorun\UbiAutorun.exe




-- End of Deckard's System Scanner: finished at 2008-04-17 13:52:22 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 17 April 2008 - 10:11 PM

Hello Jack,

Welcome to Bleeping Computer :blink:

Please go ahead and download ComboFix again, run it, and post the report for me. :wacko: Thank you for letting me know you already ran it. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jacksnake

jacksnake
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 17 April 2008 - 10:38 PM

Hell Tea:

First, thank you so much!! for your help.

one last thing that I thought you must know as well; after I posted my log last time; I booted into safe mode and ran vundobegone.exe; I did not do any changes after that and wont do any more until you suggest so; I am sorry if running vundobegone will create any problems.

Thanks again,

Here is my combofix log:

ComboFix 08-04-16.5 - MANOJ 2008-04-17 23:17:56.4 - NTFSx86
Running from: C:\Documents and Settings\MANOJ\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\hhgfffhk.ini
C:\WINDOWS\SYSTEM32\hhgfffhk.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 23:07 . 2008-04-17 23:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-04-17 22:57 . 2008-04-17 22:57 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-17 22:45 . 2008-04-17 22:48 <DIR> d-------- C:\I386
2008-04-17 22:43 . 2004-08-12 16:45 338,198 --a------ C:\HIVESFT.INF
2008-04-17 22:43 . 2004-08-12 10:11 388 --a------ C:\DriverLanguageMap.xml
2008-04-17 13:30 . 2008-04-17 13:30 <DIR> d-------- C:\Deckard
2008-04-17 11:20 . 2008-04-17 11:20 <DIR> d-------- C:\_OTMoveIt
2008-04-17 01:41 . 2008-04-17 01:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 01:41 . 2008-04-17 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 01:28 . 2008-04-17 01:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 01:28 . 2008-04-17 01:28 2,540 --a------ C:\WINDOWS\unins000.dat
2008-04-16 23:25 . 2008-04-16 23:26 1,737 --a------ C:\WINDOWS\SetupPestPatrolCorporate.mif
2008-04-16 01:25 . 2008-04-16 01:25 <DIR> d-------- C:\Temp\wdlw14
2008-04-13 16:22 . 2008-04-13 16:22 <DIR> d-------- C:\Documents and Settings\MANOJ\Application Data\Ubisoft
2008-04-13 16:20 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2008-04-13 16:20 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_6.dll
2008-04-13 16:20 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2008-04-10 21:11 . 2008-04-10 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Adobe
2008-04-10 20:59 . 2008-04-10 21:01 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-04-10 20:59 . 2008-04-10 20:59 <DIR> d--h----- C:\Documents and Settings\MANOJ\InstallAnywhere
2008-04-09 11:14 . 2008-04-15 00:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:14 . 2008-04-09 11:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-04 20:21 . 2008-04-04 20:21 11,355 --a------ C:\data_servicestorrent.torrent
2008-04-03 02:55 . 2008-04-03 10:42 <DIR> d-------- C:\Documents and Settings\MANOJ\workspace
2008-03-30 23:38 . 2008-03-30 23:41 29,222,080 --a------ C:\kas.rar
2008-03-30 19:19 . 2008-03-30 19:19 <DIR> d-------- C:\links
2008-03-30 19:05 . 2008-03-30 19:05 <DIR> d-------- C:\cryptload
2008-03-26 20:23 . 2008-03-26 20:23 110,592 --a------ C:\iperf.exe
2008-03-26 20:18 . 2008-03-26 20:18 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-03-26 20:18 . 2008-04-05 21:00 <DIR> d-------- C:\Documents and Settings\MANOJ\Application Data\FileZilla
2008-03-23 16:54 . 2008-03-23 16:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\AGEIA
2008-03-23 16:54 . 2008-03-23 16:54 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-03-23 16:53 . 2008-03-23 16:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 03:46 . 2008-03-23 03:46 13,099 --a------ C:\Chandamama (2007) - DVDRip - XviD - Mega.torrent
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-20 18:50 . 2005-10-20 21:47 30,592 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2008-03-20 18:50 . 2005-10-20 21:47 12,800 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2008-03-20 18:46 . 2005-06-14 18:13 104,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wceusbsh.sys
2008-03-19 21:47 . 2008-03-19 21:47 0 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-19 21:47 . 2008-03-19 21:47 0 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\Msft_Kernel_motmodem_01005.Wdf
2008-03-19 21:43 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\SYSTEM32\wdfcoinstaller01005.dll
2008-03-19 21:43 . 2006-12-14 00:39 40,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motodrv.sys
2008-03-19 21:43 . 2006-12-13 17:52 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motmodem.sys
2008-03-19 21:36 . 2008-03-19 21:36 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-03-19 21:35 . 2006-12-14 21:44 3,679,744 --a------ C:\Motorola_EU_Driver_Installation_v2.6.2.msi
2008-03-19 21:35 . 2008-03-19 21:34 3,584,106 --a------ C:\Handset_USB_Driver_32_v2.6.2.0.zip
2008-03-18 20:46 . 2008-03-18 20:47 7,601,266 --a------ C:\WhimsicalAnimals.rar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 03:25 123,273,504 ---ha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-18 03:23 5,329,696 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-18 02:24 --------- d-----w C:\Program Files\PestPatrol
2008-04-18 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 02:19 500,672 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-18 02:19 1,652,420 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-17 17:26 --------- d-----w C:\Program Files\Trend Micro
2008-04-17 06:28 --------- d-----w C:\Program Files\Trojan Remover
2008-04-17 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trojan Remover
2008-04-17 05:56 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\ColorImpact3
2008-04-17 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 05:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-13 20:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 20:04 --------- d-----w C:\Program Files\Ubisoft
2008-04-13 19:45 --------- d-----w C:\Program Files\Winamp
2008-03-27 01:01 --------- d-----w C:\Program Files\Notepad++
2008-03-20 00:44 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\Notepad++
2008-03-17 22:58 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\dvdcss
2008-03-11 02:49 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\ATI
2008-03-11 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-03-11 02:44 --------- d-----w C:\Program Files\ATI Technologies
2008-03-07 07:11 --------- d-----w C:\Program Files\TESTOUT
2008-03-07 06:04 --------- d-----w C:\Program Files\Ghostgum
2008-03-07 06:03 --------- d-----w C:\Program Files\gs
2008-03-07 05:52 --------- d-----w C:\Program Files\TeXnicCenter
2008-03-07 05:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MiKTeX
2008-03-07 05:49 --------- d-----w C:\Program Files\MiKTeX 2.5
2008-03-07 03:42 --------- d-----w C:\Program Files\THQ
2008-03-07 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-02 16:32 75,776 ---ha-w C:\Documents and Settings\MANOJ\Application Data\rbqt450.DLL
2008-03-02 16:32 64,512 ---ha-w C:\Documents and Settings\MANOJ\Application Data\rbap450.dll
2008-03-02 16:32 56,832 ---ha-w C:\Documents and Settings\MANOJ\Application Data\rbmysql450.DLL
2008-03-02 16:32 50,688 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSWinPlugin.dll
2008-03-02 16:32 34,304 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSCalcPlugin.dll
2008-03-02 16:32 31,744 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSQTFileTransferPlugin.dll
2008-03-02 16:32 31,232 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSProcessPlugin.dll
2008-03-02 16:32 29,184 ---ha-w C:\Documents and Settings\MANOJ\Application Data\BoxControl.DLL
2008-03-02 16:32 26,624 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSUsernamePlugin.dll
2008-03-02 16:32 26,112 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSRegistrationPlugin.dll
2008-03-02 16:32 18,432 ---ha-w C:\Documents and Settings\MANOJ\Application Data\EHEncrypt.dll
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\SYSTEM32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\SYSTEM32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\SYSTEM32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\SYSTEM32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\SYSTEM32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\SYSTEM32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\SYSTEM32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\SYSTEM32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\SYSTEM32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\SYSTEM32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\SYSTEM32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\SYSTEM32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\SYSTEM32\atitvo32.dll
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\SYSTEM32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\SYSTEM32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\SYSTEM32\ati2cqag.dll
2008-02-26 01:05 593,920 ------w C:\WINDOWS\SYSTEM32\ati2sgag.exe
2007-10-31 05:27 510,320 ----a-w C:\Documents and Settings\MANOJ\Application Data\GDIPFONTCACHEV1.DAT
2007-10-20 19:26 510,320 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 21:32 24,935 ----a-w C:\Program Files\release_notes_en.html
2007-03-15 19:14 21,161,472 ----a-w C:\Program Files\kav6.en.msi
2006-08-20 18:33 1 -c--a-w C:\Documents and Settings\MANOJ\SI.bin
2005-09-24 06:04 784 ----a-w C:\Documents and Settings\MANOJ\Application Data\mpauth.dat
2007-04-22 02:34 1,372,110 --sha-w C:\WINDOWS\SYSTEM32\ijllm.bak1
2007-04-30 22:11 1,369,546 --sha-w C:\WINDOWS\SYSTEM32\ijllm.bak2
2007-05-01 21:35 1,374,764 --sha-w C:\WINDOWS\SYSTEM32\ijllm.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TUFOT0o\noIinXC.vbs
.
<pre>
----a-w		   339,968 2007-12-31 13:58:44  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   133,016 2007-12-31 13:58:46  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   221,184 2007-12-31 13:58:43  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		 4,960,294 2005-11-18 12:41:06  C:\web design\FlashTips\Riva FLV Player 2.0 .exe
</pre>


------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E5EE0B0-8961-403C-98F4-6B73D7BB3E65}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"QNPlus"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 05:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57 133016]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]
"VIPv3_Auto_Update"="" []
"Vistadrv"="" []
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [2007-07-04 15:59 45056]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49 98304]
"PestPatrolCL"="" []
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 15:11 148480]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\MANOJ\\Desktop\\StrongDC\\StrongDC.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc08f78-662c-11da-8b9b-0011118a7653}]
\Shell\AutoRun\command - F:\Autorun\UbiAutorun.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 23:24:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 23:31:30
ComboFix-quarantined-files.txt 2008-04-18 03:31:27
ComboFix2.txt 2008-04-17 04:54:01

Pre-Run: 571,551,744 bytes free
Post-Run: 540,643,328 bytes free
.
2008-03-03 20:01:29 --- E O F ---

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 17 April 2008 - 11:19 PM

Hello,

That's okay too. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\SYSTEM32\ijllm.bak1
C:\WINDOWS\SYSTEM32\ijllm.bak2
C:\WINDOWS\SYSTEM32\ijllm.ini2
C:\WINDOWS\TUFOT0o\noIinXC.vbs

RenV::
----a-w 339,968 2007-12-31 13:58:44 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 133,016 2007-12-31 13:58:46 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 221,184 2007-12-31 13:58:43 C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w 4,960,294 2005-11-18 12:41:06 C:\web design\FlashTips\Riva FLV Player 2.0 .exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running now, please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jacksnake

jacksnake
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 17 April 2008 - 11:23 PM

Hello,

I cannot drag and drop; neither can i copy from firefox to a notepad. could you please suggest how to get around that?

thank you

p.s: and I just noticed; the audio is gone too for the system..

Edited by jacksnake, 17 April 2008 - 11:24 PM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 17 April 2008 - 11:45 PM

That's part of the infection......look at the script and you'll see that the ATI sound is there. That's part of what we're trying to fix. :thumbsup: Did you try manual copy & paste? Ctrl+Alt+c to copy and Ctrl+Alt+v to paste
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 jacksnake

jacksnake
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 18 April 2008 - 12:23 AM

Ctrl+Alt+C was assigned to the ATI Control Panel of my machine; so I typed the text exactly into a notepad file; named it CFScript.txt and because I cannot drag and drop; I did the following: Start->Run->Cmd

in the command window:

cd Desktop
ComboFix.exe CFScript.exe

here are the resulting log files: HJT first and then ComboFix.. thanks so much again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:35 AM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E5EE0B0-8961-403C-98F4-6B73D7BB3E65} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1997950503-1101888196-647582370-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1997950503-1101888196-647582370-1006\..\Run: [QNPlus] (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-1997950503-1101888196-647582370-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1997950503-1101888196-647582370-1006 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - S-1-5-21-1997950503-1101888196-647582370-1006 Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: DiaryOne: Save full text - C:\Program Files\DiaryOne\Script\fullcatcher.htm
O8 - Extra context menu item: DiaryOne: Save selected text - C:\Program Files\DiaryOne\Script\catcher.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/rit/support/plugins/ebraryRdr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124139609609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124139662296
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Appz\appz a-q\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Informatica Repository Server (PmRepServer) - Unknown owner - C:\Program Files\Informatica PowerCenter 7.1.2\RepositoryServer\bin\pmrepserver.exe
O23 - Service: Informatica (Powermart) - Unknown owner - C:\Program Files\Informatica PowerCenter 7.1.2\Server\bin\pmserver.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 11770 bytes

-------------------------------------------------------------------COMBOFIX LOG STARTS NOW-------------------------------

ComboFix 08-04-16.5 - MANOJ 2008-04-18 1:01:19.6 - NTFSx86
Running from: C:\DOCUME~1\MANOJ\Desktop\ComboFix.exe
Command switches used :: CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 23:07 . 2008-04-17 23:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-04-17 22:45 . 2008-04-17 22:48 <DIR> d-------- C:\I386
2008-04-17 22:43 . 2004-08-12 16:45 338,198 --a------ C:\HIVESFT.INF
2008-04-17 22:43 . 2004-08-12 10:11 388 --a------ C:\DriverLanguageMap.xml
2008-04-17 13:30 . 2008-04-17 13:30 <DIR> d-------- C:\Deckard
2008-04-17 11:20 . 2008-04-17 11:20 <DIR> d-------- C:\_OTMoveIt
2008-04-17 01:41 . 2008-04-17 01:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 01:41 . 2008-04-17 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 01:28 . 2008-04-17 01:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 01:28 . 2008-04-17 01:28 2,540 --a------ C:\WINDOWS\unins000.dat
2008-04-16 23:25 . 2008-04-16 23:26 1,737 --a------ C:\WINDOWS\SetupPestPatrolCorporate.mif
2008-04-16 01:25 . 2008-04-16 01:25 <DIR> d-------- C:\Temp\wdlw14
2008-04-13 16:22 . 2008-04-13 16:22 <DIR> d-------- C:\Documents and Settings\MANOJ\Application Data\Ubisoft
2008-04-13 16:20 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2008-04-13 16:20 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_6.dll
2008-04-13 16:20 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2008-04-10 21:11 . 2008-04-10 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Adobe
2008-04-10 20:59 . 2008-04-10 21:01 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-04-10 20:59 . 2008-04-10 20:59 <DIR> d--h----- C:\Documents and Settings\MANOJ\InstallAnywhere
2008-04-09 11:14 . 2008-04-15 00:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:14 . 2008-04-09 11:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-04 20:21 . 2008-04-04 20:21 11,355 --a------ C:\data_servicestorrent.torrent
2008-04-03 02:55 . 2008-04-03 10:42 <DIR> d-------- C:\Documents and Settings\MANOJ\workspace
2008-03-30 23:38 . 2008-03-30 23:41 29,222,080 --a------ C:\kas.rar
2008-03-30 19:19 . 2008-03-30 19:19 <DIR> d-------- C:\links
2008-03-30 19:05 . 2008-03-30 19:05 <DIR> d-------- C:\cryptload
2008-03-26 20:23 . 2008-03-26 20:23 110,592 --a------ C:\iperf.exe
2008-03-26 20:18 . 2008-03-26 20:18 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-03-26 20:18 . 2008-04-05 21:00 <DIR> d-------- C:\Documents and Settings\MANOJ\Application Data\FileZilla
2008-03-23 16:54 . 2008-03-23 16:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\AGEIA
2008-03-23 16:54 . 2008-03-23 16:54 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-03-23 16:53 . 2008-03-23 16:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 03:46 . 2008-03-23 03:46 13,099 --a------ C:\Chandamama (2007) - DVDRip - XviD - Mega.torrent
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-20 18:50 . 2005-10-20 21:47 30,592 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2008-03-20 18:50 . 2005-10-20 21:47 12,800 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2008-03-20 18:46 . 2005-06-14 18:13 104,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wceusbsh.sys
2008-03-19 21:47 . 2008-03-19 21:47 0 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-19 21:47 . 2008-03-19 21:47 0 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\Msft_Kernel_motmodem_01005.Wdf
2008-03-19 21:43 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\SYSTEM32\wdfcoinstaller01005.dll
2008-03-19 21:43 . 2006-12-14 00:39 40,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motodrv.sys
2008-03-19 21:43 . 2006-12-13 17:52 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motmodem.sys
2008-03-19 21:36 . 2008-03-19 21:36 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-03-19 21:35 . 2006-12-14 21:44 3,679,744 --a------ C:\Motorola_EU_Driver_Installation_v2.6.2.msi
2008-03-19 21:35 . 2008-03-19 21:34 3,584,106 --a------ C:\Handset_USB_Driver_32_v2.6.2.0.zip
2008-03-18 20:46 . 2008-03-18 20:47 7,601,266 --a------ C:\WhimsicalAnimals.rar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 04:00 --------- d-----w C:\Program Files\PestPatrol
2008-04-18 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 03:55 500,744 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-18 03:55 5,329,952 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-18 03:55 123,320,096 ---ha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-18 03:55 1,653,428 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-17 17:26 --------- d-----w C:\Program Files\Trend Micro
2008-04-17 06:28 --------- d-----w C:\Program Files\Trojan Remover
2008-04-17 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trojan Remover
2008-04-17 05:56 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\ColorImpact3
2008-04-17 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 05:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-13 20:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 20:04 --------- d-----w C:\Program Files\Ubisoft
2008-04-13 19:45 --------- d-----w C:\Program Files\Winamp
2008-03-27 01:01 --------- d-----w C:\Program Files\Notepad++
2008-03-20 00:44 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\Notepad++
2008-03-17 22:58 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\dvdcss
2008-03-11 02:49 --------- d-----w C:\Documents and Settings\MANOJ\Application Data\ATI
2008-03-11 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-03-11 02:44 --------- d-----w C:\Program Files\ATI Technologies
2008-03-07 07:11 --------- d-----w C:\Program Files\TESTOUT
2008-03-07 06:04 --------- d-----w C:\Program Files\Ghostgum
2008-03-07 06:03 --------- d-----w C:\Program Files\gs
2008-03-07 05:52 --------- d-----w C:\Program Files\TeXnicCenter
2008-03-07 05:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MiKTeX
2008-03-07 05:49 --------- d-----w C:\Program Files\MiKTeX 2.5
2008-03-07 03:42 --------- d-----w C:\Program Files\THQ
2008-03-07 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-02 16:32 75,776 ---ha-w C:\Documents and Settings\MANOJ\Application Data\rbqt450.DLL
2008-03-02 16:32 64,512 ---ha-w C:\Documents and Settings\MANOJ\Application Data\rbap450.dll
2008-03-02 16:32 56,832 ---ha-w C:\Documents and Settings\MANOJ\Application Data\rbmysql450.DLL
2008-03-02 16:32 50,688 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSWinPlugin.dll
2008-03-02 16:32 34,304 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSCalcPlugin.dll
2008-03-02 16:32 31,744 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSQTFileTransferPlugin.dll
2008-03-02 16:32 31,232 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSProcessPlugin.dll
2008-03-02 16:32 29,184 ---ha-w C:\Documents and Settings\MANOJ\Application Data\BoxControl.DLL
2008-03-02 16:32 26,624 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSUsernamePlugin.dll
2008-03-02 16:32 26,112 ---ha-w C:\Documents and Settings\MANOJ\Application Data\MBSRegistrationPlugin.dll
2008-03-02 16:32 18,432 ---ha-w C:\Documents and Settings\MANOJ\Application Data\EHEncrypt.dll
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\SYSTEM32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\SYSTEM32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\SYSTEM32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\SYSTEM32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\SYSTEM32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\SYSTEM32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\SYSTEM32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\SYSTEM32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\SYSTEM32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\SYSTEM32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\SYSTEM32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\SYSTEM32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\SYSTEM32\atitvo32.dll
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\SYSTEM32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\SYSTEM32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\SYSTEM32\ati2cqag.dll
2008-02-26 01:05 593,920 ------w C:\WINDOWS\SYSTEM32\ati2sgag.exe
2007-10-31 05:27 510,320 ----a-w C:\Documents and Settings\MANOJ\Application Data\GDIPFONTCACHEV1.DAT
2007-10-20 19:26 510,320 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 21:32 24,935 ----a-w C:\Program Files\release_notes_en.html
2007-03-15 19:14 21,161,472 ----a-w C:\Program Files\kav6.en.msi
2006-08-20 18:33 1 -c--a-w C:\Documents and Settings\MANOJ\SI.bin
2005-09-24 06:04 784 ----a-w C:\Documents and Settings\MANOJ\Application Data\mpauth.dat
2007-04-22 02:34 1,372,110 --sha-w C:\WINDOWS\SYSTEM32\ijllm.bak1
2007-04-30 22:11 1,369,546 --sha-w C:\WINDOWS\SYSTEM32\ijllm.bak2
2007-05-01 21:35 1,374,764 --sha-w C:\WINDOWS\SYSTEM32\ijllm.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TUFOT0o\noIinXC.vbs
.
<pre>
----a-w		   339,968 2007-12-31 13:58:44  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   133,016 2007-12-31 13:58:46  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   221,184 2007-12-31 13:58:43  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		 4,960,294 2005-11-18 12:41:06  C:\web design\FlashTips\Riva FLV Player 2.0 .exe
</pre>


------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E5EE0B0-8961-403C-98F4-6B73D7BB3E65}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"QNPlus"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 05:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57 133016]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]
"VIPv3_Auto_Update"="" []
"Vistadrv"="" []
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [2007-07-04 15:59 45056]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49 98304]
"PestPatrolCL"="" []
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 15:11 148480]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\MANOJ\\Desktop\\StrongDC\\StrongDC.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc08f78-662c-11da-8b9b-0011118a7653}]
\Shell\AutoRun\command - F:\Autorun\UbiAutorun.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 01:04:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-18 1:08:26
ComboFix-quarantined-files.txt 2008-04-18 05:08:03
ComboFix2.txt 2008-04-18 04:50:56
ComboFix3.txt 2008-04-18 03:31:31
ComboFix4.txt 2008-04-17 04:54:01

Pre-Run: 653,844,480 bytes free
Post-Run: 681,369,600 bytes free
.
2008-03-03 20:01:29 --- E O F ---

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 18 April 2008 - 12:40 AM

You went to great lengths, but it didn't work. :blink: I need for you to uninstall the ATI. It's infected anyway, and install it again. Then you should have the capabilities you need for us to finish. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 jacksnake

jacksnake
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 18 April 2008 - 01:04 AM

I cannot un-install /install most programs; I get a RPC un-available error.. the same came up when I was un-installing the driver for ATI and install the new video driver from the web-site.. :thumbsup: any suggestions..

Edited by jacksnake, 18 April 2008 - 01:07 AM.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 18 April 2008 - 01:47 AM

Try this:
Click Start>Run. Copy & paste the following and click OK: net start rpcss

See if you get the same error message now.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 jacksnake

jacksnake
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 18 April 2008 - 01:49 AM

I get the following error message:

System error 1069 has occurred

The service did not start due to a log on failure

:thumbsup:

any suggestions, thanks
- jack

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 18 April 2008 - 12:52 PM

Not out of ideas yet. :thumbsup:

Right click on My Computer > choose manage -> services and applications -> services, right click Remote Procedure Call -> click properties. remote procedure call properties window is now open, go to recovery and you´ll see: First failure, second failure, subsequent failures -> choose from the dropdown boxes : restart the service. Okay your way out and see......you might need a reboot.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 jacksnake

jacksnake
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 18 April 2008 - 01:08 PM

I'm back :D

The services screen is blank; there is a large blue square. that is for the extended tab. the standard tab lists all the services; but when i right click on RPC and say start, I get the same 1069 error; when i right click and choose properties, the properties window doesn't show up.

i took a screenshot and tried to save it from paint; it said could not register document; so i am attaching a word document with the screen-shot; hope thats not a problem

thanks again for all your help !! :thumbsup:

Attached Files


Edited by jacksnake, 18 April 2008 - 01:16 PM.


#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 18 April 2008 - 02:34 PM

I'm calling in the cavalry on this one, so sit tight. I haven't forgotten you. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:05 PM

Posted 18 April 2008 - 03:49 PM

Hi Jack,

Download this and run it for us, please sir: http://download.bleepingcomputer.com/sUBs/Beta/querySvc.exe

Please post the log it will give you. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users