Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryp Tap-2


  • This topic is locked This topic is locked
10 replies to this topic

#1 frankmc98

frankmc98

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 10 May 2008 - 04:33 PM

I used house call from trend micro and it found that I have been infected with cryp tap 2 and some other malware in my system32 folder and some place else before I could get it all down the page was stuck and IE7 had to close the page. It took over 5 hours to do a complete computer sweep. I will try to do it again but limit the sweep to my system folders. McAfee could not remove or quarentine the files. For me this thing seems to open ie browser windows for antivirus and spyware ads as well as miscilaneous ads for credit cards and businesses. Also it has slowed down my web browsing. I initially downloaded Vundo and Vundofix but it seems there are two files of this cryp tap-2 and a couple of self duplicating files which drop into a system folder upon deletion and are back when you reboot I am copying my log file from trend-micro highjackthis..can someone help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:56 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\PROGRA~1\DVDIDL~1\DVDIdlePro.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [BMc30f4e97] Rundll32.exe "C:\WINDOWS\system32\jrdeamwk.dll",s
O4 - HKLM\..\Run: [c03c7d0b] rundll32.exe "C:\WINDOWS\system32\mnuppdmd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:26 PM

Posted 11 May 2008 - 02:47 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 frankmc98

frankmc98
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 11 May 2008 - 09:43 AM

My Laptop came pre installed and I have an OEM disc and I am not sure how to get XP Recovery console can you provide an alternative to acquire or access the recovery console? My laptop is an HP Pavillion ZV6000 and does not have a 1.44" floppy drive

#4 frankmc98

frankmc98
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 11 May 2008 - 10:14 AM

nevermind my last reply I found instructions on the combofix how-to instructions...

#5 frankmc98

frankmc98
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 11 May 2008 - 10:49 AM

here is the combofix log:

ComboFix 08-05-09.1 - Frank 2008-05-11 10:22:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1542 [GMT -5:00]
Running from: C:\Documents and Settings\Frank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Frank\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\amhbbahk.dll
C:\WINDOWS\system32\ammrvscb.dll
C:\WINDOWS\system32\dbgpjyvs.dll
C:\WINDOWS\system32\dmdppunm.ini
C:\WINDOWS\system32\fpaqhjir.ini
C:\WINDOWS\system32\ikxnjeqa.ini
C:\WINDOWS\system32\iqssveqy.ini
C:\WINDOWS\system32\jrdeamwk.dll
C:\WINDOWS\system32\ljJARkLB.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnuppdmd.dll
C:\WINDOWS\system32\opnkiIBQ.dll
C:\WINDOWS\system32\pvtfihfo.ini
C:\WINDOWS\system32\QBIiknpo.ini
C:\WINDOWS\system32\QBIiknpo.ini2
C:\WINDOWS\system32\qyhjgmlw.ini
C:\WINDOWS\system32\rijhqapf.dll
C:\WINDOWS\system32\sypwkuio.dll
C:\WINDOWS\system32\yhfbcjsw.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 08:48 . 2008-05-11 08:48 2,112 --a------ C:\WINDOWS\system32\opyaabud.exe
2008-05-09 20:52 . 2008-05-09 20:52 2,112 --a------ C:\WINDOWS\system32\ucfwkydt.exe
2008-05-09 20:50 . 2008-05-09 20:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-09 20:48 . 2008-05-09 20:58 <DIR> d-------- C:\Documents and Settings\Frank\.housecall6.6
2008-05-08 20:51 . 2008-05-08 20:51 2,112 --a------ C:\WINDOWS\system32\ovulerfr.exe
2008-05-07 20:49 . 2008-05-07 20:51 0 --a------ C:\WINDOWS\system32\sys_dll.dll
2008-05-07 20:34 . 2008-05-07 20:34 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-07 09:33 . 2008-05-07 09:33 2,112 --a------ C:\WINDOWS\system32\hjjwghxj.exe
2008-05-06 15:40 . 2008-05-06 22:28 <DIR> d-------- C:\VundoFix Backups
2008-05-05 03:55 . 2008-05-11 08:42 109,709 --a------ C:\WINDOWS\BMc30f4e97.xml
2008-05-04 19:15 . 2008-05-04 19:16 <DIR> d-------- C:\Documents and Settings\Frank\Application Data\ArcSoft
2008-05-04 19:10 . 2008-05-04 19:10 <DIR> d-------- C:\Program Files\Common Files\AIPTEK HD-DV
2008-05-04 19:09 . 2008-05-04 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArcSoft
2008-05-04 18:57 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-05-04 18:52 . 2008-05-04 18:52 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-05-04 18:52 . 2008-05-04 18:52 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-04 18:52 . 2006-01-24 10:20 1,645,320 -ra------ C:\WINDOWS\system32\GdiPlus.dll
2008-05-04 18:52 . 2007-04-19 09:39 400,128 --a------ C:\WINDOWS\system32\MSLUP60.dll
2008-05-04 18:52 . 2007-04-19 09:39 256,768 --a------ C:\WINDOWS\system32\MSLURT.dll
2008-04-20 18:29 . 2008-05-06 13:36 <DIR> d-------- C:\CloneDVDTemp
2008-04-20 08:41 . 2008-04-20 08:41 <DIR> d-------- C:\Temp\cheetah
2008-04-13 22:08 . 2008-04-18 13:24 <DIR> d-------- C:\Temp\CheetahAudio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 22:01 --------- d-----w C:\Documents and Settings\Frank\Application Data\StarOffice8
2008-05-10 21:24 --------- d-----w C:\Program Files\Trend Micro
2008-05-10 04:01 --------- d-----w C:\Documents and Settings\Frank\Application Data\NewsBin
2008-05-08 01:06 --------- d-----w C:\Program Files\Lx_cats
2008-05-07 03:28 --------- d-----w C:\Program Files\PowerISO
2008-05-06 15:37 --------- d-----w C:\Program Files\Registry Clean Expert
2008-05-05 00:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 16:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 16:28 --------- d-----w C:\Documents and Settings\Frank\Application Data\SiteAdvisor
2008-04-30 04:24 --------- d-----w C:\Program Files\Sibelius Software
2008-04-25 02:13 --------- d-----w C:\Documents and Settings\Frank\Application Data\LimeWire
2008-04-24 02:24 --------- d-----w C:\Program Files\Cakewalk
2008-04-24 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cakewalk
2008-04-07 18:38 --------- d-----w C:\Documents and Settings\Frank\Application Data\Cakewalk
2008-04-07 16:46 --------- d-----w C:\Program Files\Sony
2008-04-07 16:41 --------- d-----w C:\Program Files\SatelliteTVforPC
2008-04-07 16:10 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-07 15:05 --------- d-----w C:\Documents and Settings\Frank\Application Data\Sibelius Software
2008-04-07 15:04 604 ---ha-w C:\Program Files\STLL Notifier
2008-04-07 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-03-29 16:17 --------- d-----w C:\Program Files\321Studios
2008-03-29 16:16 34,528 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-03-20 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-20 15:13 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-20 15:13 --------- d-----w C:\Documents and Settings\Frank\Application Data\TomTom
2008-03-11 04:04 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
2008-02-14 03:51 984,576 ----a-w C:\Documents and Settings\Frank\Application Data\kernel33.dll
2008-02-14 03:50 3,940,548 ----a-w C:\WINDOWS\WinAVI_Video_Converter_v.7.7.exe
2008-01-29 20:49 61,480 ----a-w C:\Documents and Settings\Frank\GoToAssistDownloadHelper.exe
2007-12-29 17:41 22,040 ----a-w C:\Documents and Settings\Frank\Application Data\addon.dat
2003-08-05 11:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 16:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 15:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 18:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 14:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
2004-08-18 18:00 270,336 ------w C:\Program Files\mozilla firefox\plugins\DCAENTU.dll
2004-08-18 18:00 1,294,336 ------w C:\Program Files\mozilla firefox\plugins\DCARSA.dll
2004-08-18 18:00 348,160 ------w C:\Program Files\mozilla firefox\plugins\GuiUtils.dll
2004-08-18 18:00 122,880 ------w C:\Program Files\mozilla firefox\plugins\nsldap32v30.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 05:58 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 14:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 07:57 98304]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 14:14 98616]

C:\Documents and Settings\Frank\Start Menu\Programs\Startup\
StarOffice 8.lnk - C:\Program Files\Sun\StarOffice 8\program\quickstart.exe [2007-08-17 23:58:18 122880]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 07:27:58 77312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDIDL~1\DVDShell.dll [2004-10-09 03:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll 2007-01-30 03:57 101888 C:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll 2007-01-30 09:57 260096 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 acachsrv;ActivClient Authentication Service;"C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe" [2006-11-10 07:29]
R2 acautoup;ActivClient Auto-Update Service;"C:\Program Files\ActivIdentity\ActivClient\acautoup.exe" [2006-11-10 07:29]
R2 accoca;ActivClient Middleware Service;"C:\Program Files\ActivIdentity\ActivClient\accoca.exe" [2006-11-10 07:29]
R2 ACDaemon;ArcSoft Connect Daemon;C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-04-17 14:14]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 09:39]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-02-21 18:26]
S3 Freehand-USBLAN;Freehand-USBLAN;C:\WINDOWS\system32\DRIVERS\fhblan.sys [2008-01-29 16:54]
S3 SCR131C;SCRx31 Serial Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-06 23:04]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-05 23:24]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2007-10-17 18:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09649926-f608-11dc-bf07-0014a5724218}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 07:03:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-01 06:00:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 10:30:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.bin
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-11 10:40:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-11 15:39:01

Pre-Run: 2,170,548,224 bytes free
Post-Run: 3,257,905,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

202 --- E O F --- 2008-05-10 16:55:31

Here is the the other requested log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.BIN
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7948 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:26 PM

Posted 11 May 2008 - 03:12 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\opyaabud.exe
C:\WINDOWS\system32\ucfwkydt.exe
C:\WINDOWS\system32\ovulerfr.exe
C:\WINDOWS\system32\sys_dll.dll
C:\WINDOWS\system32\hjjwghxj.exe
C:\WINDOWS\BMc30f4e97.xml
Folder::
C:\VundoFix Backups


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 frankmc98

frankmc98
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 11 May 2008 - 08:36 PM

ComboFix 08-05-09.1 - Frank 2008-05-11 20:06:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1540 [GMT -5:00]
Running from: C:\Documents and Settings\Frank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Frank\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMc30f4e97.xml
C:\WINDOWS\system32\hjjwghxj.exe
C:\WINDOWS\system32\opyaabud.exe
C:\WINDOWS\system32\ovulerfr.exe
C:\WINDOWS\system32\sys_dll.dll
C:\WINDOWS\system32\ucfwkydt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Frank\Application Data\addon.dat
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\PWRISOSH.DLL.bad
C:\WINDOWS\BMc30f4e97.xml
C:\WINDOWS\system32\hjjwghxj.exe
C:\WINDOWS\system32\opyaabud.exe
C:\WINDOWS\system32\ovulerfr.exe
C:\WINDOWS\system32\sys_dll.dll
C:\WINDOWS\system32\ucfwkydt.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-11 18:34 . 2008-05-11 18:34 797 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-11 18:30 . 2008-05-11 18:33 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-05-11 18:29 . 2008-05-11 18:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-09 20:50 . 2008-05-09 20:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-09 20:48 . 2008-05-09 20:58 <DIR> d-------- C:\Documents and Settings\Frank\.housecall6.6
2008-05-07 20:34 . 2008-05-07 20:34 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-04 19:15 . 2008-05-04 19:16 <DIR> d-------- C:\Documents and Settings\Frank\Application Data\ArcSoft
2008-05-04 19:10 . 2008-05-04 19:10 <DIR> d-------- C:\Program Files\Common Files\AIPTEK HD-DV
2008-05-04 19:09 . 2008-05-04 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArcSoft
2008-05-04 18:57 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-05-04 18:52 . 2008-05-04 18:52 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-05-04 18:52 . 2008-05-04 18:52 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-04 18:52 . 2006-01-24 10:20 1,645,320 -ra------ C:\WINDOWS\system32\GdiPlus.dll
2008-05-04 18:52 . 2007-04-19 09:39 400,128 --a------ C:\WINDOWS\system32\MSLUP60.dll
2008-05-04 18:52 . 2007-04-19 09:39 256,768 --a------ C:\WINDOWS\system32\MSLURT.dll
2008-04-20 18:29 . 2008-05-06 13:36 <DIR> d-------- C:\CloneDVDTemp
2008-04-20 08:41 . 2008-04-20 08:41 <DIR> d-------- C:\Temp\cheetah
2008-04-13 22:08 . 2008-04-18 13:24 <DIR> d-------- C:\Temp\CheetahAudio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 01:02 --------- d-----w C:\Documents and Settings\Frank\Application Data\NewsBin
2008-05-11 15:34 --------- d-----w C:\Documents and Settings\Frank\Application Data\StarOffice8
2008-05-10 21:24 --------- d-----w C:\Program Files\Trend Micro
2008-05-08 01:06 --------- d-----w C:\Program Files\Lx_cats
2008-05-07 03:28 --------- d-----w C:\Program Files\PowerISO
2008-05-06 15:37 --------- d-----w C:\Program Files\Registry Clean Expert
2008-05-05 00:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 16:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 16:28 --------- d-----w C:\Documents and Settings\Frank\Application Data\SiteAdvisor
2008-04-30 04:24 --------- d-----w C:\Program Files\Sibelius Software
2008-04-25 02:13 --------- d-----w C:\Documents and Settings\Frank\Application Data\LimeWire
2008-04-24 02:24 --------- d-----w C:\Program Files\Cakewalk
2008-04-24 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cakewalk
2008-04-07 18:38 --------- d-----w C:\Documents and Settings\Frank\Application Data\Cakewalk
2008-04-07 16:46 --------- d-----w C:\Program Files\Sony
2008-04-07 16:41 --------- d-----w C:\Program Files\SatelliteTVforPC
2008-04-07 16:10 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-07 15:05 --------- d-----w C:\Documents and Settings\Frank\Application Data\Sibelius Software
2008-04-07 15:04 604 ---ha-w C:\Program Files\STLL Notifier
2008-04-07 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-03-29 16:17 --------- d-----w C:\Program Files\321Studios
2008-03-29 16:16 34,528 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-03-20 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-20 15:13 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-20 15:13 --------- d-----w C:\Documents and Settings\Frank\Application Data\TomTom
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 04:04 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
2008-03-04 01:01 830,464 ----a-w C:\WINDOWS\system32\SET101.tmp
2008-03-04 01:00 2,532,610 ------w C:\WINDOWS\inf\SETB6.tmp
2008-03-04 01:00 10,240 ------w C:\WINDOWS\system32\SETD0.tmp
2008-03-04 00:53 78,336 ----a-w C:\WINDOWS\system32\SETDE.tmp
2008-03-04 00:53 385,024 ----a-w C:\WINDOWS\system32\SETD4.tmp
2008-03-04 00:53 208,384 ------w C:\WINDOWS\system32\SET100.tmp
2008-03-04 00:53 1,547,264 ----a-w C:\WINDOWS\system32\SETE9.tmp
2008-03-04 00:52 41,984 ----a-w C:\WINDOWS\system32\SETED.tmp
2008-03-04 00:52 349,184 ----a-w C:\WINDOWS\system32\SETDD.tmp
2008-03-04 00:52 224,768 ----a-w C:\WINDOWS\system32\SETD9.tmp
2008-03-04 00:52 193,024 ----a-w C:\WINDOWS\system32\SETF7.tmp
2008-03-04 00:52 17,920 ----a-w C:\WINDOWS\system32\SETD1.tmp
2008-03-04 00:52 116,224 ----a-w C:\WINDOWS\system32\SETF9.tmp
2008-03-04 00:52 105,984 ----a-w C:\WINDOWS\system32\SETFC.tmp
2008-03-04 00:51 94,208 ----a-w C:\WINDOWS\system32\SETEA.tmp
2008-03-04 00:51 70,656 ----a-w C:\WINDOWS\system32\SETD6.tmp
2008-03-04 00:51 69,120 ----a-w C:\WINDOWS\system32\SETE5.tmp
2008-03-04 00:51 69,120 ----a-w C:\WINDOWS\system32\SETCE.tmp
2008-03-04 00:51 557,056 ----a-w C:\WINDOWS\system32\SETEB.tmp
2008-03-04 00:51 44,032 ----a-w C:\WINDOWS\system32\SETE2.tmp
2008-03-04 00:51 149,504 ----a-w C:\WINDOWS\system32\SETDA.tmp
2008-03-04 00:51 126,464 ----a-w C:\WINDOWS\system32\SETCF.tmp
2008-03-04 00:51 119,808 ----a-w C:\WINDOWS\system32\SETD8.tmp
2008-03-04 00:50 66,560 ----a-w C:\WINDOWS\system32\SETFB.tmp
2008-03-04 00:50 60,928 ----a-w C:\WINDOWS\system32\SETD5.tmp
2008-03-04 00:50 52,736 ------w C:\WINDOWS\system32\SETF0.tmp
2008-03-04 00:50 48,128 ----a-w C:\WINDOWS\system32\SETF5.tmp
2008-03-04 00:50 45,568 ----a-w C:\WINDOWS\system32\SETF1.tmp
2008-03-04 00:50 44,544 ----a-w C:\WINDOWS\system32\SETFA.tmp
2008-03-04 00:50 36,352 ----a-w C:\WINDOWS\system32\SETE8.tmp
2008-03-04 00:50 345,600 ----a-w C:\WINDOWS\system32\SETD2.tmp
2008-03-04 00:50 268,800 ----a-w C:\WINDOWS\system32\SETE3.tmp
2008-03-04 00:50 212,992 ----a-w C:\WINDOWS\system32\SETD3.tmp
2008-03-04 00:50 1,555,456 ----a-w C:\WINDOWS\system32\SETF3.tmp
2008-03-04 00:37 56,413 ----a-w C:\WINDOWS\system32\SETE7.tmp
2008-03-04 00:34 440,832 ----a-w C:\WINDOWS\system32\SETDC.tmp
2008-03-02 22:07 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-03-01 13:06 826,368 ------w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-14 11:02 684,560 ----a-w C:\WINDOWS\system32\unins000.exe
2008-02-14 03:51 984,576 ----a-w C:\Documents and Settings\Frank\Application Data\kernel33.dll
2008-02-14 03:50 52,224 ----a-w C:\WINDOWS\system32\jpg.dll
2008-02-14 03:50 3,940,548 ----a-w C:\WINDOWS\WinAVI_Video_Converter_v.7.7.exe
2008-02-14 03:50 28,160 ----a-w C:\WINDOWS\system32\zlib.dll
2008-01-29 20:49 61,480 ----a-w C:\Documents and Settings\Frank\GoToAssistDownloadHelper.exe
2003-08-05 11:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 16:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 15:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 18:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 14:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
2004-08-18 18:00 270,336 ------w C:\Program Files\mozilla firefox\plugins\DCAENTU.dll
2004-08-18 18:00 1,294,336 ------w C:\Program Files\mozilla firefox\plugins\DCARSA.dll
2004-08-18 18:00 348,160 ------w C:\Program Files\mozilla firefox\plugins\GuiUtils.dll
2004-08-18 18:00 122,880 ------w C:\Program Files\mozilla firefox\plugins\nsldap32v30.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-11_10.38.41.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-13 23:39:20 71,680 -c--a-w C:\WINDOWS\ie8\admparse.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\ie8\advpack.dll
+ 2007-08-13 23:42:54 17,408 -c--a-w C:\WINDOWS\ie8\corpol.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\ie8\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\ie8\dxtrans.dll
+ 2007-08-13 23:18:02 60,416 -c--a-w C:\WINDOWS\ie8\hmmapi.dll
+ 2008-03-01 13:06:21 63,488 -c--a-w C:\WINDOWS\ie8\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\ie8\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\ie8\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\ie8\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\ie8\ieakui.dll
+ 2007-07-01 03:31:33 2,455,488 -c--a-w C:\WINDOWS\ie8\ieapfltr.dat
+ 2008-03-01 13:06:22 383,488 -c--a-w C:\WINDOWS\ie8\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\ie8\iedkcs32.dll
+ 2007-08-13 23:44:02 69,120 -c--a-w C:\WINDOWS\ie8\iedw.exe
+ 2007-08-13 23:45:18 78,336 -c--a-w C:\WINDOWS\ie8\ieencode.dll
+ 2008-03-01 13:06:24 6,066,176 -c--a-w C:\WINDOWS\ie8\ieframe.dll
+ 2007-08-13 23:54:10 191,488 -c--a-w C:\WINDOWS\ie8\iepeers.dll
+ 2007-08-13 23:54:10 287,744 -c--a-w C:\WINDOWS\ie8\ieproxy.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\ie8\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c--a-w C:\WINDOWS\ie8\iertutil.dll
+ 2007-08-13 23:39:12 55,296 -c--a-w C:\WINDOWS\ie8\iesetup.dll
+ 2007-08-13 23:54:10 180,736 -c--a-w C:\WINDOWS\ie8\ieui.dll
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\ie8\iexplore.exe
+ 2007-08-13 23:36:06 36,352 -c--a-w C:\WINDOWS\ie8\imgutil.dll
+ 2007-08-13 23:39:02 92,672 -c--a-w C:\WINDOWS\ie8\inseng.dll
+ 2007-08-13 23:38:04 491,520 -c--a-w C:\WINDOWS\ie8\jscript.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\ie8\jsproxy.dll
+ 2007-08-13 23:44:18 40,960 -c--a-w C:\WINDOWS\ie8\licmgr10.dll
+ 2008-03-01 13:06:26 459,264 -c--a-w C:\WINDOWS\ie8\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c--a-w C:\WINDOWS\ie8\msfeedsbs.dll
+ 2007-08-13 23:36:40 12,288 -c--a-w C:\WINDOWS\ie8\msfeedssync.exe
+ 2007-08-13 23:32:30 45,568 -c--a-w C:\WINDOWS\ie8\mshta.exe
+ 2008-03-01 23:36:30 3,591,680 -c--a-w C:\WINDOWS\ie8\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\ie8\mshtmled.dll
+ 2007-08-13 23:01:12 48,128 -c--a-w C:\WINDOWS\ie8\mshtmler.dll
+ 2007-08-13 23:54:10 156,160 -c--a-w C:\WINDOWS\ie8\msls31.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\ie8\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\ie8\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\ie8\occache.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\ie8\pngfilt.dll
+ 2006-09-06 22:43:16 213,216 -c--a-w C:\WINDOWS\ie8\spuninst.exe
+ 2008-03-04 01:01:58 51,784 -c--a-w C:\WINDOWS\ie8\spuninst\iecustom.dll
+ 2008-01-11 16:35:36 213,216 -c--a-w C:\WINDOWS\ie8\spuninst\spuninst.exe
+ 2008-01-11 16:35:36 371,424 -c--a-w C:\WINDOWS\ie8\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\ie8\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\ie8\urlmon.dll
+ 2007-08-13 23:54:10 413,696 -c--a-w C:\WINDOWS\ie8\vbscript.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\ie8\vgx.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\ie8\webcheck.dll
+ 2007-08-13 23:45:16 206,336 -c--a-w C:\WINDOWS\ie8\winfxdocobj.exe
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\ie8\wininet.dll
+ 2008-01-11 16:35:32 134,144 -c----w C:\WINDOWS\system32\dllcache\sqmapi.dll
- 2006-06-29 14:05:44 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
+ 2008-01-11 16:35:16 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
+ 2008-03-04 01:01:22 142,848 ------w C:\WINDOWS\system32\IESetting.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-03-04 00:51:46 36,864 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2006-06-28 23:59:26 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
+ 2008-01-11 16:35:16 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
- 2006-07-14 15:51:51 121,856 ----a-w C:\WINDOWS\system32\xmllite.dll
+ 2008-01-11 16:35:38 121,856 ----a-w C:\WINDOWS\system32\xmllite.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 05:58 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 14:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 07:57 98304]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 14:14 98616]

C:\Documents and Settings\Frank\Start Menu\Programs\Startup\
StarOffice 8.lnk - C:\Program Files\Sun\StarOffice 8\program\quickstart.exe [2007-08-17 23:58:18 122880]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 07:27:58 77312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDIDL~1\DVDShell.dll [2004-10-09 03:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll 2007-01-30 03:57 101888 C:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll 2007-01-30 09:57 260096 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 acachsrv;ActivClient Authentication Service;"C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe" [2006-11-10 07:29]
R2 acautoup;ActivClient Auto-Update Service;"C:\Program Files\ActivIdentity\ActivClient\acautoup.exe" [2006-11-10 07:29]
R2 accoca;ActivClient Middleware Service;"C:\Program Files\ActivIdentity\ActivClient\accoca.exe" [2006-11-10 07:29]
R2 ACDaemon;ArcSoft Connect Daemon;C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-04-17 14:14]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 09:39]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-02-21 18:26]
S3 Freehand-USBLAN;Freehand-USBLAN;C:\WINDOWS\system32\DRIVERS\fhblan.sys [2008-01-29 16:54]
S3 SCR131C;SCRx31 Serial Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-06 23:04]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-05 23:24]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2007-10-17 18:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09649926-f608-11dc-bf07-0014a5724218}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 07:03:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-01 06:00:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 20:08:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-11 20:13:42
ComboFix-quarantined-files.txt 2008-05-12 01:12:39
ComboFix2.txt 2008-05-11 15:40:07

Pre-Run: 6,724,837,376 bytes free
Post-Run: 6,714,073,088 bytes free

272 --- E O F --- 2008-05-10 16:55:31

here is the other log...I tried posting from IE but it would not let me type in a reply window much less copy and paste. I am using firefox

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.BIN
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\PROGRA~1\DVDIDL~1\DVDIdlePro.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 8163 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:26 PM

Posted 12 May 2008 - 01:30 AM

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 frankmc98

frankmc98
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 12 May 2008 - 05:28 AM

Things are working great now...thanks so much for helping me get rid of that nasty virus...that is really a bad one. Thnks again. I used to live in Belgium, Mons. I really miss the beer :thumbsup:

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:26 PM

Posted 12 May 2008 - 05:33 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:26 PM

Posted 16 May 2008 - 07:55 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users