Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winanonymous?pornography?colleges?trusted Virus Support?


  • This topic is locked This topic is locked
8 replies to this topic

#1 angelfishfood

angelfishfood

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 04 May 2008 - 07:48 PM

Hi Guys, I'm brand new to this forum. I followed a link from Yahoo Answers because our family is being inundated with these strange pop ups telling us that we have spyware, illegal pornography, and wanting us to download,scan, etc. This is then followed up by other webpage pop ups for colleges,and of course the random "sexy" site. I find that I don't have problems when using Firefox, just Internet Explorer. I haven't been able to do the Kapersky Online Scanner because it's for Explorer only. I'll post the DSS and Hijack this stuff and then afterwards try the online scanner.

I apologize if I have this all backwards. I will update with the Kapersky Online scanner if I can get it done.

Thank you for whatever help you can offer!

Have a great evening!

-ANGELFISHFOOD

Here's the Hijackthis log:

Deckard's System Scanner v20071014.68
Run by Melissa Lea Sorenson on 2008-05-04 18:15:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
75: 2008-05-05 00:15:14 UTC - RP587 - Deckard's System Scanner Restore Point
74: 2008-05-04 02:10:00 UTC - RP586 - Last known good configuration
73: 2008-05-04 02:09:47 UTC - RP585 - System Checkpoint
72: 2008-05-04 02:09:47 UTC - RP584 - System Checkpoint
71: 2008-05-04 02:09:46 UTC - RP583 - System Checkpoint


-- First Restore Point --
1: 2008-05-04 02:09:16 UTC - RP513 - Removed WordPerfect Office 12


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Melissa Lea Sorenson.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:13 PM, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Melissa Lea Sorenson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Melissa Lea Sorenson.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aliant.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {3713F9EE-C059-4540-B697-987EF263A088} - C:\WINDOWS\system32\awtQKAtq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BADBF36C-9799-475D-9DA3-D911EE18C9E1} - C:\WINDOWS\system32\jkkijghi.dll
O2 - BHO: {591b0fc0-aa4f-daba-4674-f0a8ff33c60e} - {e06c33ff-8a0f-4764-abad-f4aa0cf0b195} - C:\WINDOWS\system32\jwsnajou.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [103a228d] rundll32.exe "C:\WINDOWS\system32\atpufqlb.dll",b
O4 - HKLM\..\Run: [BM13091111] Rundll32.exe "C:\WINDOWS\system32\nsyicqtv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://minxiemelissa.spaces.live.com//Phot...ad/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161988681437
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: awtQKAtq - C:\WINDOWS\SYSTEM32\awtQKAtq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 10648 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MREMP50 (MREMP50 NDIS Protocol Driver) - c:\program files\common files\motive\mremp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MREMP50a64 (MREMP50a64 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mremp50a64.sys (file missing)
S3 MRESP50 (MRESP50 NDIS Protocol Driver) - c:\program files\common files\motive\mresp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MRESP50a64 (MRESP50a64 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mresp50a64.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 McciCMService - "c:\program files\common files\motive\mccicmservice.exe" <Not Verified; Motive Communications, Inc.; >
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter
R2 WDBtnMgrSvc.exe (WD Drive Manager Service) - "c:\program files\western digital\wd drive manager\wdbtnmgrsvc.exe" <Not Verified; WDC; WD Drive Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-03 18:29:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-01 01:00:03 362 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-10-28 20:37:53 370 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-04 18:18:45 0 d-------- C:\Program Files\Trend Micro
2008-05-04 08:16:29 108096 --a------ C:\WINDOWS\system32\jwsnajou.dll
2008-05-04 08:13:35 95296 --a------ C:\WINDOWS\system32\atpufqlb.dll
2008-05-04 08:13:26 104512 --a------ C:\WINDOWS\system32\nsyicqtv.dll
2008-05-03 20:09:05 364649 --ahs---- C:\WINDOWS\system32\ihgjikkj.ini2
2008-05-03 20:08:58 281600 --a------ C:\WINDOWS\system32\jkkijghi.dll
2008-05-03 20:04:41 42496 --a------ C:\WINDOWS\system32\pmnMfGXo.dll
2008-05-03 20:03:47 42496 --a------ C:\WINDOWS\system32\awtQKAtq.dll
2008-05-03 09:41:35 0 d-------- C:\Program Files\iPod
2008-04-10 16:16:09 0 d-------- C:\Program Files\Yahoo!
2008-04-05 10:16:47 0 d-------- C:\Program Files\DNA
2008-04-05 10:16:47 0 d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\DNA
2008-04-05 10:00:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-04-05 10:00:06 0 d-------- C:\Program Files\Winamp Toolbar
2008-04-05 09:59:11 0 d-------- C:\Program Files\Winamp
2008-04-05 09:59:11 0 d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Winamp


-- Find3M Report ---------------------------------------------------------------

2008-05-04 18:19:35 0 d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\BitTorrent
2008-05-03 09:59:08 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 09:42:29 0 d-------- C:\Program Files\iTunes
2008-05-03 09:36:56 0 d-------- C:\Program Files\QuickTime
2008-04-15 08:34:05 0 d-------- C:\Program Files\Java
2008-04-05 10:17:03 0 d-------- C:\Program Files\BitTorrent
2008-03-31 20:34:10 0 d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Google
2008-03-31 19:44:13 0 d-------- C:\Program Files\Picasa2
2008-03-31 19:42:33 0 d-------- C:\Program Files\Google
2008-03-31 19:40:30 0 d-------- C:\Program Files\Western Digital Technologies
2008-03-31 19:40:06 0 d-------- C:\Program Files\Western Digital
2008-03-31 18:15:06 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-31 18:06:26 0 d-------- C:\Program Files\HP
2008-03-21 09:03:01 0 d-------- C:\Program Files\Bonjour
2008-03-21 08:57:53 0 d-------- C:\Program Files\Common Files
2008-03-21 08:57:53 0 d-------- C:\Program Files\Common Files\Apple
2008-03-19 21:27:22 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-19 21:27:16 0 d-------- C:\Program Files\Real
2008-03-19 21:26:51 0 d-------- C:\Program Files\Common Files\Real
2008-03-19 21:05:15 0 d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Real
2008-03-19 20:59:51 3683 --a------ C:\WINDOWS\mozver.dat
2008-03-07 20:26:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-11 16:48:13 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-11 16:48:13 104 -r-hs---- C:\WINDOWS\system32\6D9134488C.sys
2008-02-11 15:20:24 1009 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3713F9EE-C059-4540-B697-987EF263A088}]
03/05/2008 08:03 PM 42496 --a------ C:\WINDOWS\system32\awtQKAtq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BADBF36C-9799-475D-9DA3-D911EE18C9E1}]
03/05/2008 08:09 PM 281600 --a------ C:\WINDOWS\system32\jkkijghi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e06c33ff-8a0f-4764-abad-f4aa0cf0b195}]
04/05/2008 08:16 AM 108096 --a------ C:\WINDOWS\system32\jwsnajou.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [19/03/2008 04:36 PM 1267040]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 06:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [03/09/2003 07:12 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [10/06/2005 09:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10/06/2005 09:44 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 07:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 07:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 07:36 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [25/10/2001 08:55 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [19/03/2008 09:25 PM]
"WD Drive Manager"="C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [30/01/2008 04:50 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [31/03/2008 07:42 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [20/02/2007 07:18 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/04/2008 12:49 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"103a228d"="C:\WINDOWS\system32\atpufqlb.dll" [04/05/2008 08:13 AM]
"BM13091111"="C:\WINDOWS\system32\nsyicqtv.dll" [04/05/2008 08:13 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2008 07:37 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 06:06 AM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [05/04/2008 10:17 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3713F9EE-C059-4540-B697-987EF263A088}"= C:\WINDOWS\system32\awtQKAtq.dll [03/05/2008 08:03 PM 42496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtQKAtq]
awtQKAtq.dll 03/05/2008 08:03 PM 42496 C:\WINDOWS\system32\awtQKAtq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkijghi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS_eCare_Lite_McciTrayApp]
C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

*Newly Created Service* - HTTPFILTER
*Newly Created Service* - RASAUTO



-- End of Deckard's System Scanner: finished at 2008-05-04 18:22:53 ------------


Attached is the second part of the Hijackthis text

Also, I managed to run the Kaspersky scan:

Sunday, May 04, 2008 7:53:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/05/2008
Kaspersky Anti-Virus database records: 740088
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 14040
Number of viruses found 1
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 00:20:41

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\atpufqlb.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\awtQKAtq.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkkijghi.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\jwsnajou.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\nsyicqtv.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\pmnMfGXo.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_ogTiriCIaMQDotE Object is locked skipped
C:\WINDOWS\Temp\mcmsc_kA6n4Y40QeNG2uZ Object is locked skipped
C:\WINDOWS\Temp\mcmsc_pAcnYxj0vXgWlGP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_thXy5kSdyywbOXL Object is locked skipped
C:\WINDOWS\Temp\mcmsc_UZUel5P37NfTuNV Object is locked skipped
C:\WINDOWS\Temp\mcmsc_VbMQjOxNWWoyiNT Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\~DF6F9.tmp Object is locked skipped


I don't know if that's what you'll need.
Should I be removing these files.
Unfortunately, I don't know THAT much about computers.
I sure can mess them up pretty good!

Thanks - Angelfishfood

Attached Files


Edited by angelfishfood, 04 May 2008 - 09:08 PM.


BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 05 May 2008 - 04:13 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 angelfishfood

angelfishfood
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 06 May 2008 - 04:49 PM

Hi Steam,

I ran the Malware and I already see a noticeable improvement.
Thank you so much!

Here is the log from from MBAM. I will run the Combofix and post it in a few minutes.

Thanks again... You're fantastic!

-Angelfish

Here's the log:

Malwarebytes' Anti-Malware 1.12
Database version: 726

Scan type: Quick Scan
Objects scanned: 35230
Time elapsed: 22 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkijghi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\oblpbvjv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wwcbiebn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\awtQKAtq.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d4e9a1a4-94ca-4471-87ed-a878607e4376} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d4e9a1a4-94ca-4471-87ed-a878607e4376} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook.1 (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3713f9ee-c059-4540-b697-987ef263a088} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3713f9ee-c059-4540-b697-987ef263a088} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqkatq (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\103a228d (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM13091111 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3713f9ee-c059-4540-b697-987ef263a088} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkijghi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkijghi -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jkkijghi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ihgjikkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihgjikkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oblpbvjv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vjvbplbo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wwcbiebn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nbeibcww.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa Lea Sorenson\Local Settings\Temporary Internet Files\Content.IE5\A4SDPTQ1\kriv[1] (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ydcpnhya.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pmnMfGXo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtQKAtq.dll (Trojan.Vundo) -> Delete on reboot.


I'll add the combo fix in a few minutes!

Later:

Hi Steam,

Here's the combo fix log.

ComboFix 08-05-01.3 - Melissa Lea Sorenson 2008-05-06 17:14:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.228 [GMT -6:00]
Running from: C:\Documents and Settings\Melissa Lea Sorenson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Melissa Lea Sorenson\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 15:16 . 2008-05-06 15:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 15:16 . 2008-05-06 15:16 <DIR> d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Malwarebytes
2008-05-06 15:16 . 2008-05-06 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 15:16 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 15:16 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 15:11 . 2008-05-06 15:11 2,112 --a------ C:\WINDOWS\system32\ibixdxvy.exe
2008-05-04 19:02 . 2008-05-04 19:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 19:02 . 2008-05-04 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 18:18 . 2008-05-04 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-04 18:14 . 2008-05-04 18:14 <DIR> d-------- C:\Deckard
2008-05-04 18:06 . 2008-05-04 20:29 4,094,947 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-04 08:13 . 2008-05-06 15:09 109,709 --a------ C:\WINDOWS\BM13091111.xml
2008-05-03 09:41 . 2008-05-03 09:41 <DIR> d-------- C:\Program Files\iPod
2008-04-15 08:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-10 16:16 . 2008-04-13 09:06 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 23:17 --------- d-----w C:\Documents and Settings\Melissa Lea Sorenson\Application Data\BitTorrent
2008-05-06 23:08 --------- d-----w C:\Documents and Settings\Melissa Lea Sorenson\Application Data\DNA
2008-05-03 15:59 --------- d-----w C:\Program Files\Apple Software Update
2008-05-03 15:42 --------- d-----w C:\Program Files\iTunes
2008-05-03 15:36 --------- d-----w C:\Program Files\QuickTime
2008-04-15 14:34 --------- d-----w C:\Program Files\Java
2008-04-05 19:23 --------- d-----w C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Winamp
2008-04-05 16:17 --------- d-----w C:\Program Files\BitTorrent
2008-04-05 16:16 --------- d-----w C:\Program Files\DNA
2008-04-05 16:00 --------- d-----w C:\Program Files\Winamp Toolbar
2008-04-05 16:00 --------- d-----w C:\Program Files\Winamp
2008-04-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-04-01 01:44 --------- d-----w C:\Program Files\Picasa2
2008-04-01 01:42 --------- d-----w C:\Program Files\Google
2008-04-01 01:40 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-01 01:40 --------- d-----w C:\Program Files\Western Digital
2008-04-01 00:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-01 00:06 --------- d-----w C:\Program Files\HP
2008-03-21 15:03 --------- d-----w C:\Program Files\Bonjour
2008-03-21 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-21 14:57 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-20 03:27 --------- d-----w C:\Program Files\Real
2008-03-20 03:27 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-20 03:26 --------- d-----w C:\Program Files\Common Files\Real
2008-03-20 03:25 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-20 03:25 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-08 02:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 00:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-11 22:48 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-08-04 10:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 10:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 10:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 10:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 10:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 10:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 10:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 10:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-19 16:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2008-03-19 16:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 19:37 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 06:06 288576]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-04-05 10:17 587568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 07:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 07:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 07:36 114688]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 08:55 196608]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-19 21:25 185896]
"WD Drive Manager"="C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 04:50 438272]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-31 19:42 1862144]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 19:18 366400]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 12:49 36352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-01-24 10:38 198128 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-03-19 21:25 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS_eCare_Lite_McciTrayApp]
--a------ 2007-01-24 15:55 1007720 C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 12:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16340:TCP"= 16340:TCP:*:Disabled:BitComet 16340 TCP
"16340:UDP"= 16340:UDP:*:Disabled:BitComet 16340 UDP

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-26 11:43]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-01-24 10:38]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [2008-01-30 04:52]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-09-26 11:43]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-09-26 11:43]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 00:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 02:37:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 07:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 17:16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-06 17:19:31
ComboFix-quarantined-files.txt 2008-05-06 23:18:27
ComboFix2.txt 2008-05-06 23:05:25

Pre-Run: 21,262,745,600 bytes free
Post-Run: 21,232,406,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

200 --- E O F --- 2008-04-09 04:13:38


Thanks Again... You're the best.
-Angelfish

Edited by angelfishfood, 06 May 2008 - 06:23 PM.


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 07 May 2008 - 01:25 PM

Hi

You're doing well :thumbsup:

You've run Combofix twice & posted the log from the second run, I need to see the log from the first run, it will show me things not in the log you posted ... you can find that log here :-

C:\ComboFix2.txt ... the one with the #2 in the name ...

Also ...

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 angelfishfood

angelfishfood
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 07 May 2008 - 05:00 PM

Hi Steam!

I checked in the C: drive and the only combo fix text was the second one. I don't have the one with combofix2 in the title. I wonder if it was erased when I ran the first one? I ran it a second time because I messed up the first one. :thumbsup:

Is it awful that I don't have the first one? Is there another way to find it?

I will update the Java software now. Let me know if there's anything I can do to fix the Combofix mess up.

Thanks for everything (including your patience)

-Angelfish

PS: I have just updated the Java!

Edited by angelfishfood, 07 May 2008 - 05:21 PM.


#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 08 May 2008 - 03:17 PM

HI

Mmm ... it should be there ... look at the bottom section of the log you posted & you see this :-

Completion time: 2008-05-06 17:19:31 <<<<< this refers to the second run & is ComboFix.txt
ComboFix-quarantined-files.txt 2008-05-06 23:18:27
ComboFix2.txt 2008-05-06 23:05:25 <<<< this is the log from the first run ...

If you ran Combofix a third time, the log from the second run (ComboFix.txt) would become ComboFix2.txt ... & ComboFix2.txt would become ComboFix3.txt ... it wouldn't be overwritten ....

Can you find the ComboFix-quarantined-files.txt & post that for me ...

The log I want to see will show the files which Combofix has deleted, I specifically want to see if it deleted files shown in your Kaspersky log ...

Anyway please post the ComboFix-quarantined-files.txt if you can ...

Then run a new Kaspersky Online Scan & post that log ...

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 angelfishfood

angelfishfood
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 11 May 2008 - 12:09 PM

Hi Steam,

I did a search of the system for the combofix quarantined files and found the first combo fix scan. It was in another file on the C drive?
Anyway, Here's the first log and the quarantined file log.

ComboFix 08-05-01.3 - Melissa Lea Sorenson 2008-05-06 16:50:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.202 [GMT -6:00]
Running from: C:\Documents and Settings\Melissa Lea Sorenson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtQKAtq.dll
C:\WINDOWS\system32\blqfupta.ini
C:\WINDOWS\system32\gpehoelv.dll
C:\WINDOWS\system32\ihgjikkj.ini
C:\WINDOWS\system32\ihgjikkj.ini2
C:\WINDOWS\system32\jkkijghi.dll
C:\WINDOWS\system32\jwsnajou.dll
C:\WINDOWS\system32\nsyicqtv.dll
C:\WINDOWS\system32\oblpbvjv.dll
C:\WINDOWS\system32\tamdsmth.dll
C:\WINDOWS\system32\unctvyqj.dll
C:\WINDOWS\system32\wwcbiebn.dll
C:\WINDOWS\system32\ydcpnhya.dll
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://blog.makezine.com
hxxp://blog.craftzine.com
.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 15:16 . 2008-05-06 15:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 15:16 . 2008-05-06 15:16 <DIR> d-------- C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Malwarebytes
2008-05-06 15:16 . 2008-05-06 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 15:16 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 15:16 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 15:11 . 2008-05-06 15:11 2,112 --a------ C:\WINDOWS\system32\ibixdxvy.exe
2008-05-04 19:02 . 2008-05-04 19:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 19:02 . 2008-05-04 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 18:18 . 2008-05-04 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-04 18:14 . 2008-05-04 18:14 <DIR> d-------- C:\Deckard
2008-05-04 18:06 . 2008-05-04 20:29 4,094,947 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-04 08:13 . 2008-05-06 15:09 109,709 --a------ C:\WINDOWS\BM13091111.xml
2008-05-03 09:41 . 2008-05-03 09:41 <DIR> d-------- C:\Program Files\iPod
2008-04-15 08:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-10 16:16 . 2008-04-13 09:06 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 22:58 --------- d-----w C:\Documents and Settings\Melissa Lea Sorenson\Application Data\DNA
2008-05-06 22:58 --------- d-----w C:\Documents and Settings\Melissa Lea Sorenson\Application Data\BitTorrent
2008-05-03 15:59 --------- d-----w C:\Program Files\Apple Software Update
2008-05-03 15:42 --------- d-----w C:\Program Files\iTunes
2008-05-03 15:36 --------- d-----w C:\Program Files\QuickTime
2008-04-15 14:34 --------- d-----w C:\Program Files\Java
2008-04-05 19:23 --------- d-----w C:\Documents and Settings\Melissa Lea Sorenson\Application Data\Winamp
2008-04-05 16:17 --------- d-----w C:\Program Files\BitTorrent
2008-04-05 16:16 --------- d-----w C:\Program Files\DNA
2008-04-05 16:00 --------- d-----w C:\Program Files\Winamp Toolbar
2008-04-05 16:00 --------- d-----w C:\Program Files\Winamp
2008-04-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-04-01 01:44 --------- d-----w C:\Program Files\Picasa2
2008-04-01 01:42 --------- d-----w C:\Program Files\Google
2008-04-01 01:40 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-01 01:40 --------- d-----w C:\Program Files\Western Digital
2008-04-01 00:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-01 00:06 --------- d-----w C:\Program Files\HP
2008-03-21 15:03 --------- d-----w C:\Program Files\Bonjour
2008-03-21 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-21 14:57 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-20 03:27 --------- d-----w C:\Program Files\Real
2008-03-20 03:27 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-20 03:26 --------- d-----w C:\Program Files\Common Files\Real
2008-03-08 02:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2004-08-04 10:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 10:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 10:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 10:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 10:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 10:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 10:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 10:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-19 16:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2008-03-19 16:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 19:37 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 06:06 288576]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-04-05 10:17 587568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 07:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 07:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 07:36 114688]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 08:55 196608]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-19 21:25 185896]
"WD Drive Manager"="C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 04:50 438272]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-31 19:42 1862144]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 19:18 366400]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 12:49 36352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-01-24 10:38 198128 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-03-19 21:25 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS_eCare_Lite_McciTrayApp]
--a------ 2007-01-24 15:55 1007720 C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 12:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16340:TCP"= 16340:TCP:*:Disabled:BitComet 16340 TCP
"16340:UDP"= 16340:UDP:*:Disabled:BitComet 16340 UDP

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-26 11:43]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-01-24 10:38]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [2008-01-30 04:52]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-09-26 11:43]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-09-26 11:43]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 00:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 02:37:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 07:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 16:56:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 98

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-05-06 17:05:24 - machine was rebooted [Melissa Lea Sorenson]
ComboFix-quarantined-files.txt 2008-05-06 23:05:19

Pre-Run: 21,332,754,432 bytes free
Post-Run: 21,277,114,368 bytes free

221 --- E O F --- 2008-04-09 04:13:38





Here's the quarantined file log:


2005-11-15 12:08 36 --a------ C:\Qoobox\Quarantine\F\autorun.inf.vir
2008-05-04 08:13 104512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nsyicqtv.dll.vir
2008-05-04 08:16 108096 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jwsnajou.dll.vir
2008-05-05 15:04 1480191 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\blqfupta.ini.vir
2008-05-05 15:05 104000 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tamdsmth.dll.vir
2008-05-05 15:05 107584 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gpehoelv.dll.vir
2008-05-06 15:11 22 --a------ C:\Qoobox\Quarantine\C\WINDOWS\pskt.ini.vir
2008-05-06 15:16 108608 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\unctvyqj.dll.vir
2008-05-06 15:41 104512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ydcpnhya.dll.vir
2008-05-06 15:41 191262 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ihgjikkj.ini2.vir
2008-05-06 15:41 281600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkijghi.dll.vir
2008-05-06 15:41 42496 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\awtQKAtq.dll.vir
2008-05-06 15:41 96832 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oblpbvjv.dll.vir
2008-05-06 15:41 96832 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wwcbiebn.dll.vir
2008-05-06 15:42 191262 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ihgjikkj.ini.vir
2008-05-06 15:45 214222 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-05-06 15:45 214222 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-05-06 17:16 108 --a------ C:\Qoobox\Quarantine\catchme.log



I will run the Kapersky scan now... Thanks Again... I really appreciate it!

-Angelfish


Hi Steam,

Here's the Kapersky Online Scan:

Sunday, May 11, 2008 11:47:10 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 757206
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 14100
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:18:49

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_hb9yQjiYNABl0m1 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2caDASvh6EhwB4i Object is locked skipped
C:\WINDOWS\Temp\mcmsc_3jwLaQoUute5ojP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_sbc7PhF8Qg7Bkwp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\fla3B3.tmp Object is locked skipped
C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\~DF8C95.tmp Object is locked skipped
Scan process completed.


Thanks Again... I'll talk to you later!

-Angelfish

Edited by angelfishfood, 11 May 2008 - 12:50 PM.


#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 11 May 2008 - 02:28 PM

Hi

I did a search of the system for the combofix quarantined files and found the first combo fix scan. It was in another file on the C drive?


If it wasn't at C:\ComboFix2.txt ... can you tell me it's exact location ? Thank you...

Your logs are clean now ... please post a new hijackthis log...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 24 June 2008 - 03:56 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users