Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wintouch,virtumonde And Others?


  • Please log in to reply
10 replies to this topic

#1 Spawn420

Spawn420

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 30 April 2008 - 04:45 PM

please check my logs out anyone??
and my browser keeps being reset to MSN, when default is yahoo.
when it does that, if i try to go to a url, the page wont load at all.
massive CPU usage when im basically idle, etc


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:55 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Multimedia keyboard utility\KbdAp32A.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Vcsron\Vcsron.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Maurice\lsass.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {4884A3AF-52D1-43FB-BC0A-6B546B8C22ED} - (no file)
O2 - BHO: (no name) - {4C199356-86F8-45E6-A7CE-6304742A1BF1} - C:\WINDOWS\system32\efcYspol.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {70A141E7-6D76-4543-B6EB-E8135E576299} - C:\WINDOWS\system32\qoMdDwTn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {9BF947A6-F544-D7E3-19E3-A78F75537D95} - (no file)
O2 - BHO: (no name) - {E1892FA6-BB3A-4AC7-8588-BFD9119441E3} - C:\WINDOWS\system32\vtUoLdbc.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\jkkJcCtS.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\KbdAp32A.exe
O4 - HKLM\..\Run: [TRIXX] "C:\Program Files\TRIXX\TRIXX.exe" -s
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Maurice\lsass.exe
O4 - HKLM\..\Run: [BM49d1e504] Rundll32.exe "C:\WINDOWS\system32\eljtnmxf.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4760] command /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC892] cmd /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8435] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7258] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA161] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5079] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2222] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8552] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9515] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4284] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA541] command /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC828] cmd /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8844] command /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6422] cmd /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2309] command /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7128] cmd /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ANR] C:\Program Files\XemiComputers\Audio Notes Recorder\ANR.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Tjrmwa] "C:\Program Files\a?sembly\n?tdde.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6623] command /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8105] cmd /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3804] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6948] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1544] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1933] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5277] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1619] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7297] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7805] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1849] command /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2781] cmd /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1233] command /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5797] cmd /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB842] command /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6249] cmd /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{86ABE02A-E6B3-4E85-BD75-C9BC47683591}: NameServer = 71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E27B8DCD-A5B3-495E-8722-CBA005BA2C91}: NameServer = 71.242.0.12 71.250.0.12
O20 - Winlogon Notify: jkkJcCtS - C:\WINDOWS\SYSTEM32\jkkJcCtS.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 15040 bytes

BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:49 PM

Posted 01 May 2008 - 05:54 PM

Hi Spawn420 and welcome to Bleeping Computer.

I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

You certainly have some issues going on here.
Let's get to work and sort them out for you.

Step 1
Please disable Spybot S&Ds TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.

Reboot the computer.

Step 2
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
Step 3
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

In your next reply, please submit:
SDFix Report
ComboFix.txt
and a new Hjt log.

Thanks.

BBPP6nz.png


#3 Spawn420

Spawn420
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 01 May 2008 - 07:13 PM

when i attempt to boot in safe mode, it pauses at the point where its loading stpd.sys and just reboots my system :thumbsup:

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:49 PM

Posted 02 May 2008 - 06:21 PM

Hi Spawn420

This problem seems to be caused by either of these programs:
Alcohol 120
Daemon-Tools

I see you have both installed.

When you boot into Safe Mode do you receive a message "Press ESC to cancel loading of sptd.sys"?
If so.... please try this and see if you can get into 'Safe Mode'.

BBPP6nz.png


#5 Spawn420

Spawn420
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 02 May 2008 - 07:34 PM

hitting escape only made the reboot faster, ive un-installed both programs and ill try again.


EDIT: same result after uninstalling both. escape or not, it still reboots. i believe the last file listed for the sptd message is somehwere along the lines of 30gx something, lol. i think its an ATI driver file from what ive searched. buy my drivers are fine i think. please help!!

my browsers are so jacked up, im using Ares in-program browser to reply. lol

Edited by Spawn420, 02 May 2008 - 08:04 PM.


#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:49 PM

Posted 03 May 2008 - 01:13 PM

Hi Spawn420

Ok, let's forget about the stpd.sys problem for a minute and we'll see if we can't try and sort some of this malware out for you.
We'll come back to the stpd.sys problem later.

Step 1
Please make sure that 'TeatTimer' is disabled as per previous instructions.

Step 2
Let's tidy up some of the log entries.
There will be more to do later.

Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {4884A3AF-52D1-43FB-BC0A-6B546B8C22ED} - (no file)
O2 - BHO: (no name) - {4C199356-86F8-45E6-A7CE-6304742A1BF1} - C:\WINDOWS\system32\efcYspol.dll (file missing)
O2 - BHO: (no name) - {70A141E7-6D76-4543-B6EB-E8135E576299} - C:\WINDOWS\system32\qoMdDwTn.dll (file missing)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {9BF947A6-F544-D7E3-19E3-A78F75537D95} - (no file)
O2 - BHO: (no name) - {E1892FA6-BB3A-4AC7-8588-BFD9119441E3} - C:\WINDOWS\system32\vtUoLdbc.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\jkkJcCtS.dll
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Maurice\lsass.exe
O4 - HKLM\..\Run: [BM49d1e504] Rundll32.exe "C:\WINDOWS\system32\eljtnmxf.dll",s
O4 - HKCU\..\Run: [Tjrmwa] "C:\Program Files\a?sembly\n?tdde.exe"
O20 - Winlogon Notify: jkkJcCtS - C:\WINDOWS\SYSTEM32\jkkJcCtS.dll

If these lines are still in your log, you can safely remove these as well.
O4 - HKLM\..\RunOnce: [SpybotDeletingA4760] command /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC892] cmd /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8435] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7258] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA161] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5079] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2222] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8552] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9515] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4284] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA541] command /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC828] cmd /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8844] command /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6422] cmd /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2309] command /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7128] cmd /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6623] command /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8105] cmd /c del "C:\Program Files\Mozilla Firefox\components\ffwt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3804] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6948] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1544] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1933] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5277] command /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1619] cmd /c del "C:\WINDOWS\system32\ckrrhibh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7297] command /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7805] cmd /c del "C:\WINDOWS\system32\efcYspol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1849] command /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2781] cmd /c del "C:\WINDOWS\system32\eljtnmxf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1233] command /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5797] cmd /c del "C:\WINDOWS\system32\gwtcocvl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB842] command /c del "C:\WINDOWS\system32\owanmaii.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6249] cmd /c del "C:\WINDOWS\system32\owanmaii.dll_old"


Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Step 3
If you got as far as installing ComboFix from the previous post.... please remove it.
A newer version is now available.
Then please follow the instructions in 'Step 3' of Post #2 to install and run ComboFix.

Step 4
I'd like to see an uninstall list:

Open HijackThis... click on Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save..... copy and paste the results in your next post.
More information with a screenshot, can be found here.


In your next reply, please submit:
ComboFix.txt
Uninstall list
and a new Hjt log.

Thanks.

BBPP6nz.png


#7 Spawn420

Spawn420
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 03 May 2008 - 10:12 PM

can i get the link to the new combofix? cant find it. sorry for the late reply, havent been home

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:49 PM

Posted 04 May 2008 - 02:50 AM

Hi Spawn420

Sorry, i should have explained that when ComboFix is updated.... the download link will always be the same.

There are full instructions on how to download and run ComboFix here:
How to use ComboFix

Just click this link and follow the instructions.

BBPP6nz.png


#9 Spawn420

Spawn420
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 May 2008 - 08:03 PM

ComboFix Log

ComboFix 08-05-01.3 - Maurice 2008-05-04 20:26:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.979 [GMT -4:00]
Running from: C:\Documents and Settings\Maurice\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Maurice\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Maurice\Application Data\macromedia\Flash Player\#SharedObjects\TVJTEW4S\www.broadcaster.com
C:\Documents and Settings\Maurice\Application Data\macromedia\Flash Player\#SharedObjects\TVJTEW4S\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Maurice\Application Data\macromedia\Flash Player\#SharedObjects\TVJTEW4S\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Maurice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Maurice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\asembl~1
C:\Program Files\CPV
C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\Temporary
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acLUCJlm.ini
C:\WINDOWS\system32\acLUCJlm.ini2
C:\WINDOWS\system32\BLlSAyxx.ini
C:\WINDOWS\system32\BLlSAyxx.ini2
C:\WINDOWS\system32\cbdLoUtv.ini
C:\WINDOWS\system32\cbdLoUtv.ini2
C:\WINDOWS\system32\fublnoqp.dll
C:\WINDOWS\system32\ieaqrjhv.ini
C:\WINDOWS\system32\iiamnawo.ini
C:\WINDOWS\system32\jkkJcCtS.dll
C:\WINDOWS\system32\lopsYcfe.ini
C:\WINDOWS\system32\lopsYcfe.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nidvrwel.ini
C:\WINDOWS\system32\nTwDdMoq.ini
C:\WINDOWS\system32\nTwDdMoq.ini2
C:\WINDOWS\system32\pqonlbuf.ini
C:\WINDOWS\system32\tcbnqvqv.ini
C:\WINDOWS\system32\udtlgbgk.dll
C:\WINDOWS\system32\xajltgpl.dll
C:\WINDOWS\system32\xxyASlLB.dll
C:\WINDOWS\system32\yaofcfca.ini
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\tsks~1

----- BITS: Possible infected sites -----

hxxp://images.knowledgeadventure.com
.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-03 22:28 . 2008-05-03 22:28 60 --a------ C:\WINDOWS\ka.ini
2008-05-03 22:24 . 2008-05-03 22:25 <DIR> d-------- C:\Program Files\JumpStart World
2008-05-03 22:24 . 2008-05-03 22:24 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-05-03 22:22 . 2008-05-03 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2008-05-02 20:25 . 2008-05-02 20:25 105,536 --a------ C:\WINDOWS\system32\utvggcrk.dll_old
2008-05-02 00:18 . 2008-05-02 00:18 <DIR> d-------- C:\VundoFix Backups
2008-05-01 19:49 . 2008-04-29 05:11 <DIR> d-------- C:\SDFix
2008-04-30 17:30 . 2008-04-30 17:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 18:37 . 2008-04-28 18:37 <DIR> d-------- C:\Program Files\Vcsron
2008-04-26 21:48 . 2008-04-26 21:48 674,600 --a------ C:\WINDOWS\system32\pbsvc[1].exe
2008-04-26 21:06 . 2008-04-27 11:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-26 15:19 . 2008-04-26 15:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-26 13:22 . 2008-04-26 13:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-26 00:20 . 2008-04-26 00:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-26 00:20 . 2008-04-26 00:20 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-26 00:20 . 2008-04-26 00:20 2,552 --a------ C:\WINDOWS\unins000.dat
2008-04-26 00:13 . 2008-04-30 15:21 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-25 23:56 . 2008-04-25 23:56 22 --a------ C:\WINDOWS\b104.exe.bin
2008-04-25 23:41 . 2008-04-25 23:44 <DIR> d-------- C:\Program Files\Inet_Get_2
2008-04-25 16:37 . 2008-05-04 19:16 109,756 --a------ C:\WINDOWS\BM49d1e504.xml
2008-04-25 15:34 . 2008-04-30 14:59 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-04-24 23:04 . 2008-04-24 23:04 27,136 --a------ C:\Documents and Settings\Maurice\services.exe
2008-04-22 18:29 . 2008-04-22 18:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-14 18:37 . 2008-04-14 21:01 <DIR> d-------- C:\Program Files\Guild Wars
2008-04-11 15:32 . 2008-04-11 16:10 <DIR> d-------- C:\Program Files\iCall
2008-04-11 10:48 . 2008-04-11 07:48 11,264 --a------ C:\WINDOWS\b138.exe
2008-04-09 20:19 . 2008-04-24 22:34 <DIR> d-------- C:\Downloads
2008-04-08 23:48 . 2008-04-08 23:48 <DIR> d-------- C:\Program Files\Codemasters
2008-04-07 23:55 . 2008-04-07 23:58 <DIR> d-------- C:\FSXTMP
2008-04-07 22:43 . 2008-04-07 22:43 206 --a------ C:\Delme.bat
2008-04-06 10:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-06 10:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-06 10:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-05 14:12 . 2008-04-05 14:40 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-05 14:11 . 2008-04-06 10:04 <DIR> d-------- C:\Documents and Settings\Maurice\Contacts
2008-04-05 14:06 . 2008-04-05 14:10 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 14:06 . 2008-04-05 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 04:56 --------- d-----w C:\Program Files\LogMeIn
2008-05-03 00:32 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-03 00:04 --------- d-----w C:\Program Files\Java
2008-05-02 23:57 --------- d-s---w C:\Program Files\Xfire
2008-05-01 01:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-30 18:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 02:19 --------- d-----w C:\Program Files\BearShare
2008-04-28 22:51 --------- d-----w C:\Program Files\LastChaosUSA
2008-04-28 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-04-28 22:45 --------- d-----w C:\Program Files\SatelliteTVforPC
2008-04-28 22:39 --------- d-----w C:\Program Files\BearShare3
2008-04-28 22:36 --------- d-----w C:\Program Files\XLink Kai Evolution VII
2008-04-28 22:29 --------- d-----w C:\Documents and Settings\Maurice\Application Data\Xfire
2008-04-27 18:12 68,528 ----a-w C:\Documents and Settings\Maurice\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 04:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-27 01:49 22,328 ----a-w C:\Documents and Settings\Maurice\Application Data\PnkBstrK.sys
2008-04-27 01:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-26 16:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 16:23 --------- d-----w C:\Program Files\MegaSoundRecorder
2008-04-26 15:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-26 04:16 --------- d-----w C:\Program Files\Azureus
2008-04-26 04:15 --------- d-----w C:\Documents and Settings\Maurice\Application Data\ndxCards
2008-04-26 04:14 --------- d-----w C:\Program Files\IKEA HomePlanner
2008-04-26 04:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 04:13 --------- d-----w C:\Program Files\Yahoo!
2008-04-26 04:13 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-26 04:07 --------- d-----w C:\Program Files\Internet Download Manager
2008-04-05 01:53 --------- d-----w C:\Program Files\America's Army
2008-04-03 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2008-04-02 20:45 --------- d-----w C:\Documents and Settings\Maurice\Application Data\MegauploadToolbar
2008-04-02 20:39 --------- d-----w C:\Program Files\Electronic Arts
2008-04-01 23:30 241,664 ----a-w C:\Documents and Settings\Maurice\msipl.bin
2008-03-19 02:37 32,768 ----a-w C:\Documents and Settings\Maurice\mspformat.exe
2008-03-19 02:37 32,768 ----a-w C:\Documents and Settings\Maurice\msinst.exe
2008-03-16 21:42 --------- d-----w C:\Program Files\iTunes
2008-03-16 21:42 --------- d-----w C:\Program Files\iPod
2008-03-16 21:40 --------- d-----w C:\Program Files\QuickTime
2008-03-06 22:02 --------- d-----w C:\Program Files\Lexmark 1200 Series
2008-03-06 04:25 --------- d-----w C:\Program Files\PiMPWare
2008-03-06 00:36 --------- d-----w C:\Program Files\Orb Networks
2007-11-16 05:21 94,208 ----a-w C:\Documents and Settings\Maurice\Application Data\ezplay.sys
2007-11-16 05:21 87,608 ----a-w C:\Documents and Settings\Maurice\Application Data\inst.exe
2007-11-16 05:21 47,360 ----a-w C:\Documents and Settings\Maurice\Application Data\pcouffin.sys
2007-10-31 19:09 1,105,920 ----a-w C:\Documents and Settings\Maurice\iTunesMobileDevice.dll
2007-07-12 05:16 67,360 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2007-08-09 18:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C199356-86F8-45E6-A7CE-6304742A1BF1}]
C:\WINDOWS\system32\efcYspol.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84BD0F3-5195-4FCF-982D-F75DA0CECCDA}]
C:\WINDOWS\system32\mlJCULca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1892FA6-BB3A-4AC7-8588-BFD9119441E3}]
C:\WINDOWS\system32\vtUoLdbc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"ANR"="C:\Program Files\XemiComputers\Audio Notes Recorder\ANR.exe" [ ]
"Tjrmwa"="C:\Program Files\a?sembly\n?tdde.exe" [ ]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 05:04 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"FLMK08KB"="C:\Program Files\Multimedia keyboard utility\KbdAp32A.exe" [2007-06-10 17:38 386560]
"TRIXX"="C:\Program Files\TRIXX\TRIXX.exe" [2005-08-16 07:18 9576448]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 14:22 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-24 16:54:53 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkJcCtS]
jkkJcCtS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-21 19:06 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 22:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a------ 2002-07-12 18:15 106496 C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2003-12-19 17:53 65024 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\iCall\\iCall.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2006-01-12 12:56]
R1 TRIXX;TRIXX;C:\Program Files\TRIXX\TRIXXDriver.sys [2005-08-16 07:17]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-04-17 14:00]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2007-05-11 01:12]
S3 Prnsubi2;Prnsubi2;C:\WINDOWS\system32\logman.exe [2004-08-04 08:00]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02a2a7d9-291a-11dc-a207-00016ca5b01a}]
\Shell\Auto\command - N:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{712d99ae-ec96-11db-9f1f-b772ab82bdfc}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 19:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-05 00:41:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 20:41:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-05-04 20:55:19 - machine was rebooted [Maurice]
ComboFix-quarantined-files.txt 2008-05-05 00:55:15

Pre-Run: 14,885,605,376 bytes free
Post-Run: 22,063,517,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

296 --- E O F --- 2008-05-04 22:23:44





==============================================================================
==============================================================================
==============================================================================





UNINSTALL LIST

7-Zip 4.42
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop CS
Adobe Shockwave Player
Ahead Nero Burning ROM
AIM 6
AlmightyButton Software - AudioRoom CD Recorder
America's Army
Apple Mobile Device Support
Apple Software Update
Archlord
Ares 2.0.9
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AviSynth 2.5
Battlefield 2™
Battlefield 2: Special Forces
Battlefield 2142
BF2142Pro 1.1
CA Yahoo! Anti-Spy (remove only)
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
Collab
Command & Conquer The First Decade
Data Lifeguard Tools
DataArt NETChart for ASP.NET, Framework 2.0
DesktopX
DivX 4.12 Codec
DivX Web Player
DVD Flick
EA Download Manager
EA SPORTS online 2008
FE Convert Drop
ffdshow [rev 1324] [2007-07-01]
Final Fantasy VII XP Patch
FL Studio 5
FL Studio 6
FL Studio 7
Flash CD & DVD Burner
Google Earth
GTA San Andreas
GTASA-Ultimate Editor
Guild Wars
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ID B1B Lancer
ID B1B Lancer Texture Addons
iCall
IconPackager
iDump Build: 22
IL Download Manager
Instant CD & DVD Burner
Intel A/V Codecs V2.0
iPodRip
iTunes
iTunes Art Importer
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1
JS World Kindergarten
JSWorldKGMain
JSWPFCom
JSWPFGradeK
Lexmark 1200 Series
Lexmark 4200 Series
Lexmark Skin: Helix
Lexmark Skin: Machine1
Lexmark Skin: Nature TV1
Lexmark Skin: Snakeskin
LogMeIn
Megaupload Toolbar
MGTEK dopisp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator X
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Multimedia keyboard utility
Nimo Codecs Pack v4.33 (Remove Only)
PiMPStreamer
PSP Video 9 2.24
PSP Video Express(remove only)
PunkBuster Services
QuickTime
RCT3 Soaked
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Rising Conflicts
RollerCoaster Tycoon 3
RPG Maker 2000 - Super Columbine Massacre RPG!
San Andreas Mod Installer
Sapphire TRIXX
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
SmartStartup
Sony ACID Pro 5.0
Sony ACID Pro 6.0
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
TeamSpeak 2 RC2
Test Drive Unlimited
The Playa
Total Commander (Remove or Repair)
TouchCopy
TVersity Codec Pack 1.1
UltraISO Premium V8.65
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Ventrilo Client
VideoLAN VLC media player 0.8.6c
Videora iPod Converter 3.04
Viewpoint Media Player
WindowBlinds
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinSCP 4.0.4
Xbox 360 Desktop
Xfire (remove only)
Yahoo! Browser Services
Yahoo! IE Search Suggest
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar



==============================================================================
==============================================================================

Hijack This Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:34 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Multimedia keyboard utility\KbdAp32A.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {4C199356-86F8-45E6-A7CE-6304742A1BF1} - C:\WINDOWS\system32\efcYspol.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C84BD0F3-5195-4FCF-982D-F75DA0CECCDA} - C:\WINDOWS\system32\mlJCULca.dll (file missing)
O2 - BHO: (no name) - {E1892FA6-BB3A-4AC7-8588-BFD9119441E3} - C:\WINDOWS\system32\vtUoLdbc.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\KbdAp32A.exe
O4 - HKLM\..\Run: [TRIXX] "C:\Program Files\TRIXX\TRIXX.exe" -s
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ANR] C:\Program Files\XemiComputers\Audio Notes Recorder\ANR.exe
O4 - HKCU\..\Run: [Tjrmwa] "C:\Program Files\a?sembly\n?tdde.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{86ABE02A-E6B3-4E85-BD75-C9BC47683591}: NameServer = 71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E27B8DCD-A5B3-495E-8722-CBA005BA2C91}: NameServer = 71.242.0.12 71.250.0.12
O20 - Winlogon Notify: jkkJcCtS - jkkJcCtS.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10203 bytes

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:49 PM

Posted 05 May 2008 - 11:14 AM

Hi Spawn420

Step 1
There are a lot of missing files showing in the report for 'Panda Security'.
Plus i can't see it in your uninstall list.... have you removed it?
Without this, you have NO anti-virus program running!
Please reinstall this program, or if you prefer a different anti-virus protector, i can recommend these 'free' programs.Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\system32\utvggcrk.dll_old
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b138.exe
C:\WINDOWS\system32\efcYspol.dll
C:\WINDOWS\system32\mlJCULca.dll
C:\WINDOWS\system32\vtUoLdbc.dll

Folder::
C:\Program Files\Inet_Get_2
C:\VundoFix Backups
C:\Program Files\a?sembly
C:\Program Files\Svconr
C:\Program Files\Vcsron

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C199356-86F8-45E6-A7CE-6304742A1BF1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84BD0F3-5195-4FCF-982D-F75DA0CECCDA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1892FA6-BB3A-4AC7-8588-BFD9119441E3}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tjrmwa"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svconr"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkJcCtS]
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 3
Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
Step 4
You have a couple of files on your system that i would like you to check out for me please:

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\Maurice\services.exe
when finished, please do the same for this file:
C:\WINDOWS\BM49d1e504.xml

Please post back the results of both scans in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step 5
Please navigate to this batch file:
C:\Delme.bat
Now open the file and copy/paste the contents back here.

Step 6
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please submit:
New ComboFix.txt
Jotti scan results
Contents of the batch file
Kaspersky scan results
and a new Hjt log

Thanks.

BBPP6nz.png


#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:49 PM

Posted 20 May 2008 - 02:59 PM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users