Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups And Other Infections


  • This topic is locked This topic is locked
12 replies to this topic

#1 djuice

djuice

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 26 April 2008 - 01:26 PM

I am running Windos Xp Pro with Service Pack 2 installed. I am getting Popups and my Desktop says "Warning Spyware has been detected on you pc" and "Your computer is working slowly in the right hand corner". My task manager is also disabled. I have 2 Kaspersky files, Deckard's system scanner, and I ran a new copy of hijackthis:



Thank you

Attached Files


Edited by djuice, 26 April 2008 - 02:16 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 27 April 2008 - 09:33 AM

Hi,

Please do not attach your logs but copy and paste them in the thread instead.

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 27 April 2008 - 10:23 AM

Hi,

Sorry about posting the files that way. Here's the new ones:

Malwarebytes' Anti-Malware 1.11
Database version: 689

Scan type: Quick Scan
Objects scanned: 42516
Time elapsed: 11 minute(s), 37 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 4
Registry Keys Infected: 54
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 9
Files Infected: 86

Memory Processes Infected:
C:\WINDOWS\mrofinu72.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> Unloaded process successfully.
C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> Unloaded process successfully.
C:\winself.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\urqnOFur.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ouxtbggo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> Unloaded module successfully.
C:\WINDOWS\system32\awtrRKCu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5950b7c5-ca7f-4a1e-951a-e263225d8054} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5950b7c5-ca7f-4a1e-951a-e263225d8054} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{543bd811-f148-4b3a-a0b9-177014555bf9} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{82ea1a55-9cbc-404b-9d0c-e8bfb7eaae9b} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d6b0c179-6343-442c-8175-9652e200cb55} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ofb11 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ofb11.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{90a52f08-64ac-4dc6-9d7d-4516670275d3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{90a52f08-64ac-4dc6-9d7d-4516670275d3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0eecb1ee-c306-4b6a-8331-e0babf7bacd7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0eecb1ee-c306-4b6a-8331-e0babf7bacd7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock5.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtrrkcu (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QdrModule15 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QdrPack15 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqnofur -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqnofur



And hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:17 AM, on 04/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\COMMON~1\ICROSO~1\arpa.exe
C:\Program Files\??stem\r?ndll32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ruct] "C:\PROGRA~1\COMMON~1\ICROSO~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Gou] "C:\Program Files\??stem\r?ndll32.exe"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10530 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 27 April 2008 - 10:30 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 27 April 2008 - 10:59 AM

Here's the first log:

ComboFix 08-04-26.5 - Dave Miele 2008-04-27 11:41:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1605 [GMT -4:00]
Running from: C:\Documents and Settings\Dave Miele\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave Miele\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Dave Miele\Application Data\ICROSO~1.NET
C:\Documents and Settings\Dave Miele\Application Data\macromedia\Flash Player\#SharedObjects\ELKS2UX8\www.broadcaster.com
C:\Documents and Settings\Dave Miele\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Dave Miele\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\icroso~1\?icrosoft\
C:\Program Files\Common Files\icroso~1\arpa.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\stem~1
C:\Program Files\stem~1\r?ndll32.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem~1
C:\WINDOWS\system32\awtrRKCu.dll
C:\WINDOWS\system32\lmectpmv.ini
C:\WINDOWS\system32\MagicV2mEngine.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ouxtbggo.dll
C:\WINDOWS\system32\ruFOnqru.ini
C:\WINDOWS\system32\udynfnho.ini
C:\WINDOWS\system32\urqnOFur.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 10:53 . 2008-04-27 10:53 <DIR> d-------- C:\Documents and Settings\Dave Miele\Application Data\Malwarebytes
2008-04-27 10:52 . 2008-04-27 10:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 10:52 . 2008-04-27 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 07:34 . 2008-04-27 07:34 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-26 14:10 . 2008-04-26 14:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 14:03 . 2008-04-26 14:03 <DIR> d-------- C:\Deckard
2008-04-26 13:23 . 2008-04-26 13:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-26 13:23 . 2008-04-26 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-26 12:20 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-26 12:20 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-26 12:20 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-26 12:20 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-26 12:20 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-26 12:20 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-26 09:53 . 2008-04-26 11:43 109,756 --a------ C:\WINDOWS\BM93e9d3f2.xml
2008-04-26 09:27 . 2008-04-26 09:27 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-26 07:16 . 2008-04-27 07:23 194 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-26 07:16 . 2008-04-27 10:47 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-26 07:16 . 2008-04-27 07:37 8 --------- C:\WINDOWS\megavid.cdt
2008-04-18 13:56 . 2008-04-18 13:57 <DIR> d-------- C:\Program Files\Burrrn
2008-04-13 09:11 . 2008-04-13 09:18 <DIR> d-------- C:\Documents and Settings\Dave Miele\Application Data\Vso
2008-04-13 09:11 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-04-13 09:11 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-04-13 09:11 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-04-13 09:11 . 2008-04-13 09:11 87,608 --a------ C:\Documents and Settings\Dave Miele\Application Data\inst.exe
2008-04-13 09:11 . 2008-04-13 09:11 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-13 09:11 . 2008-04-13 09:11 47,360 --a------ C:\Documents and Settings\Dave Miele\Application Data\pcouffin.sys
2008-04-10 14:30 . 2008-04-27 10:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 14:30 . 2008-04-10 14:30 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 15:43 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-27 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-13 13:11 --------- d-----w C:\Program Files\vso
2008-04-05 17:35 --------- d-----w C:\Program Files\Foxit Software
2008-04-02 18:30 --------- d-----w C:\Documents and Settings\Dave Miele\Application Data\ATI MMC
2008-04-02 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-03-30 13:05 --------- d-----w C:\Documents and Settings\Dave Miele\Application Data\Orbit
2008-03-02 15:35 --------- d-----w C:\Program Files\Orbitdownloader
2006-11-27 20:51 221,792 ----a-w C:\Documents and Settings\Dave Miele\Application Data\GDIPFONTCACHEV1.DAT
2003-09-12 13:34 905 ----a-w C:\Program Files\uninstal.log
2003-03-23 19:39 32 --sha-w C:\WINDOWS\{4E59D649-C639-4DBA-A302-BCC9C3AC2F29}.dat
2003-03-23 19:38 32 --sha-w C:\WINDOWS\{54DE80CD-9F89-4E3A-A32F-A59849E44FBE}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\{5FAC3EE0-EA30-423E-AF31-67C5C266F0AC}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\{9BE56361-3F17-4247-9230-CD2C2545FF1F}.dat
2003-03-23 19:40 32 --sha-w C:\WINDOWS\{C5362AC8-78D9-4DE0-815C-B46CB64C862F}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\{D243DE5F-E734-4A6B-B6B8-F186FC5AEEF3}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\{FC779116-983B-4978-9BA9-CBE4D2F56C50}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\system32\{1A38D2FB-5CF2-4653-94F6-1E6106EA9788}.dat
2003-03-23 19:38 32 --sha-w C:\WINDOWS\system32\{4FFC9B74-4274-455D-8457-E1A28E23D224}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\system32\{A65AE321-5CEA-4DBB-A37D-F27352C993DB}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\system32\{D01158D6-308B-4B6C-9F80-2BA19D3FD7BD}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\system32\{D47871A2-ED57-4FEE-A815-CD397BE0664B}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\system32\{D9ACE962-AA59-4A43-ADF6-47B728100B3A}.dat
2003-03-23 19:40 32 --sha-w C:\WINDOWS\system32\{DF15E8B6-B70A-4B85-82C5-9444C9DE29E3}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [2003-10-02 07:47 41034]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-06 13:24 68856]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Ruct"="C:\PROGRA~1\COMMON~1\ICROSO~1\arpa.exe" [ ]
"Gou"="C:\Program Files\??stem\r?ndll32.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-08-15 00:46 46592 C:\WINDOWS\SOUNDMAN.EXE]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-11-08 03:50 106551]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 15:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-02 17:24 29744]
"Cmaudio"="cmicnfg.cpl" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-10 11:22 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-06 13:24:39 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"msacm.l3radius"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90dae06e]
C:\WINDOWS\system32\edapkvdi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93e9d3f2]
C:\WINDOWS\system32\bihateig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ele]
C:\Documents and Settings\Dave Miele\Application Data\?icrosoft.NET\n?lookup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbdirect]
--a------ 1998-11-17 20:10 227328 C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 15:57 221184 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
C:\Program Files\QdrModule\QdrModule12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
C:\Program Files\QdrPack\QdrPack12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-10 11:22 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ruct]
C:\PROGRA~1\COMMON~1\ICROSO~1\arpa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"PaperPort PTD"=c:\progra~1\vision~1\paperp~1\pptd40nt.exe
"PinnacleDriverCheck"=C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\bf1942.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=

R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 18:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 03:15]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
R3 pmxscan;Visioneer USB Service;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 01:58]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cur_bus.sys [2003-12-11 02:05]
S3 cur_mdfl;Curitel Packet Service Filter;C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys [2003-12-11 02:06]
S3 cur_mdm;Curitel Packet Service Drivers;C:\WINDOWS\system32\DRIVERS\cur_mdm.sys [2003-12-11 02:06]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cur_serd.sys [2003-12-11 02:07]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-02 17:24]
S4 Amsotet;Amsotet;C:\WINDOWS\System32\drivers\parvdm.sys [2001-08-23 12:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-04-07 00:54:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7600#MY39Q331WVK3.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7600#MY39Q331WVK3
"2008-04-04 19:55:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY42B220V2Q0.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY42B220V2Q0
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 11:47:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-04-27 11:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 15:52:36
ComboFix2.txt 2007-05-10 19:25:14

Pre-Run: 10,010,460,160 bytes free
Post-Run: 10,141,126,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

245 --- E O F --- 2008-04-12 12:46:59


And the second:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:57 AM, on 04/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ruct] "C:\PROGRA~1\COMMON~1\ICROSO~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Gou] "C:\Program Files\??stem\r?ndll32.exe"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10561 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 27 April 2008 - 11:12 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\BM93e9d3f2.xml
Folder::
C:\Program Files\RcvSystem
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ruct"=-
"Gou"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90dae06e]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93e9d3f2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ele]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ruct]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 27 April 2008 - 11:33 AM

Here's the new combofix log:

ComboFix 08-04-26.5 - Dave Miele 2008-04-27 12:19:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1587 [GMT -4:00]
Running from: C:\Documents and Settings\Dave Miele\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave Miele\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM93e9d3f2.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dave Miele\Application Data\.rdr.ini
C:\Documents and Settings\Dave Miele\Application Data\inst.exe
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\WINDOWS\BM93e9d3f2.xml

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 10:53 . 2008-04-27 10:53 <DIR> d-------- C:\Documents and Settings\Dave Miele\Application Data\Malwarebytes
2008-04-27 10:52 . 2008-04-27 10:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 10:52 . 2008-04-27 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 14:10 . 2008-04-26 14:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 14:03 . 2008-04-26 14:03 <DIR> d-------- C:\Deckard
2008-04-26 13:23 . 2008-04-26 13:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-26 13:23 . 2008-04-26 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-26 12:20 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-26 12:20 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-26 12:20 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-26 12:20 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-26 12:20 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-26 12:20 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-26 09:27 . 2008-04-26 09:27 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-26 07:16 . 2008-04-27 07:23 194 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-26 07:16 . 2008-04-27 10:47 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-26 07:16 . 2008-04-27 07:37 8 --------- C:\WINDOWS\megavid.cdt
2008-04-18 13:56 . 2008-04-18 13:57 <DIR> d-------- C:\Program Files\Burrrn
2008-04-13 09:11 . 2008-04-13 09:18 <DIR> d-------- C:\Documents and Settings\Dave Miele\Application Data\Vso
2008-04-13 09:11 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-04-13 09:11 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-04-13 09:11 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-04-13 09:11 . 2008-04-13 09:11 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-13 09:11 . 2008-04-13 09:11 47,360 --a------ C:\Documents and Settings\Dave Miele\Application Data\pcouffin.sys
2008-04-10 14:30 . 2008-04-27 10:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 14:30 . 2008-04-10 14:30 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 16:18 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-27 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-26 16:45 2,372 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-13 13:11 --------- d-----w C:\Program Files\vso
2008-04-05 17:35 --------- d-----w C:\Program Files\Foxit Software
2008-04-02 18:30 --------- d-----w C:\Documents and Settings\Dave Miele\Application Data\ATI MMC
2008-04-02 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-03-30 13:05 --------- d-----w C:\Documents and Settings\Dave Miele\Application Data\Orbit
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-02 15:35 --------- d-----w C:\Program Files\Orbitdownloader
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-02 13:21 270,698 ----a-w C:\WINDOWS\system32\L97C3.tmp
2006-11-27 20:51 221,792 ----a-w C:\Documents and Settings\Dave Miele\Application Data\GDIPFONTCACHEV1.DAT
2003-09-12 13:34 905 ----a-w C:\Program Files\uninstal.log
1998-11-17 17:09 24,576 ----a-w C:\WINDOWS\inf\Vizpnpin.exe
1998-10-12 17:23 40,960 ----a-w C:\WINDOWS\inf\vizPnP\Vipersti.dll
1998-07-30 18:44 19,112 ----a-w C:\WINDOWS\inf\vizPnP\Pmxscan.sys
2003-03-23 19:39 32 --sha-w C:\WINDOWS\{4E59D649-C639-4DBA-A302-BCC9C3AC2F29}.dat
2003-03-23 19:38 32 --sha-w C:\WINDOWS\{54DE80CD-9F89-4E3A-A32F-A59849E44FBE}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\{5FAC3EE0-EA30-423E-AF31-67C5C266F0AC}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\{9BE56361-3F17-4247-9230-CD2C2545FF1F}.dat
2003-03-23 19:40 32 --sha-w C:\WINDOWS\{C5362AC8-78D9-4DE0-815C-B46CB64C862F}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\{D243DE5F-E734-4A6B-B6B8-F186FC5AEEF3}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\{FC779116-983B-4978-9BA9-CBE4D2F56C50}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\system32\{1A38D2FB-5CF2-4653-94F6-1E6106EA9788}.dat
2003-03-23 19:38 32 --sha-w C:\WINDOWS\system32\{4FFC9B74-4274-455D-8457-E1A28E23D224}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\system32\{A65AE321-5CEA-4DBB-A37D-F27352C993DB}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\system32\{D01158D6-308B-4B6C-9F80-2BA19D3FD7BD}.dat
2003-03-23 19:39 32 --sha-w C:\WINDOWS\system32\{D47871A2-ED57-4FEE-A815-CD397BE0664B}.dat
2003-03-23 19:41 32 --sha-w C:\WINDOWS\system32\{D9ACE962-AA59-4A43-ADF6-47B728100B3A}.dat
2003-03-23 19:40 32 --sha-w C:\WINDOWS\system32\{DF15E8B6-B70A-4B85-82C5-9444C9DE29E3}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [2003-10-02 07:47 41034]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-06 13:24 68856]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-08-15 00:46 46592 C:\WINDOWS\SOUNDMAN.EXE]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-11-08 03:50 106551]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 15:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-02 17:24 29744]
"Cmaudio"="cmicnfg.cpl" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-10 11:22 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-06 13:24:39 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"msacm.l3radius"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbdirect]
--a------ 1998-11-17 20:10 227328 C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 15:57 221184 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-10 11:22 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"PaperPort PTD"=c:\progra~1\vision~1\paperp~1\pptd40nt.exe
"PinnacleDriverCheck"=C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\bf1942.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=

R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 18:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 03:15]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
R3 pmxscan;Visioneer USB Service;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 01:58]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cur_bus.sys [2003-12-11 02:05]
S3 cur_mdfl;Curitel Packet Service Filter;C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys [2003-12-11 02:06]
S3 cur_mdm;Curitel Packet Service Drivers;C:\WINDOWS\system32\DRIVERS\cur_mdm.sys [2003-12-11 02:06]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cur_serd.sys [2003-12-11 02:07]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-02 17:24]
S4 Amsotet;Amsotet;C:\WINDOWS\System32\drivers\parvdm.sys [2001-08-23 12:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-04-07 00:54:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7600#MY39Q331WVK3.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7600#MY39Q331WVK3
"2008-04-04 19:55:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY42B220V2Q0.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY42B220V2Q0
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 12:20:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-27 12:21:17
ComboFix-quarantined-files.txt 2008-04-27 16:21:11
ComboFix2.txt 2008-04-27 15:52:44
ComboFix3.txt 2007-05-10 19:25:14

Pre-Run: 10,208,100,352 bytes free
Post-Run: 10,201,403,392 bytes free

202 --- E O F --- 2008-04-12 12:46:59

and the hijackthis log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:24 PM, on 04/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10454 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 27 April 2008 - 11:43 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 27 April 2008 - 12:53 PM

That did the trick, I will donate now to you for your help.

Thank you

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 27 April 2008 - 12:56 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 27 April 2008 - 01:00 PM

Thank you

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 27 April 2008 - 01:08 PM

You're most welcome and thanks for the donation - much appreciated :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:59 PM

Posted 28 April 2008 - 05:16 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users