Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake System Messages


  • This topic is locked This topic is locked
8 replies to this topic

#1 phxakguy

phxakguy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 15 May 2008 - 10:43 PM

I'm getting these error messages, I have scanned my computer with adware and Spybot. Neither find any issues. PLEASE HELP ME

SysFader: IE7EXPLORER.EXE - Application Fatal Error
- The instruction at 0x01cf34739 referenced memory at 0x02dfe50. The memory could not be read.

Your system is unstable
- A problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer. Kernel32x.SYS - Address 0xA73C20AE base, error code C03200, DateStamp 56b836A3, Kernel Debugger on port: COM3

System Shutdown
-This system is shutting down. Please save all work in progress and log off. Any unsaved chages will be lost. This shutdown by MyName/Administrator . Time before shutdown: 00:23
Message -Critical system error. Process Isass.exec, module: kernel321.dll at address 0x78221981.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:57 PM, on 5/15/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\WinSpeedUp\WinSpeedUp.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\BitComet\tools\CometBrowser.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 69.57.152.127 auto.search.msn.com
O1 - Hosts: 69.57.152.127 auto.search.msn.es
O1 - Hosts: 69.57.152.127 pagead2.googlesyndication.com
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\Common Files\BinarySense\hlAPP.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: joablfqe - C:\WINDOWS\SYSTEM32\joablfqe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MDOIK - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\MDOIK.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Services Control - FileZilla Project - c:\windows\system32\drivers\services.exe
O23 - Service: Windows smss - Unknown owner - c:\windows\system32\drivers\etc\smss.exe

--
End of file - 8339 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 16 May 2008 - 04:37 PM

Hi

Go to > Start > Run > type shutdown -a to give you time to run the following programs ...

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

& a new hijackthis log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 phxakguy

phxakguy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 16 May 2008 - 06:35 PM

here you go,
THANK YOU FOR YOUR HELP :thumbsup:


SDFix: Version 1.182
Run by admin on Fri 05/16/2008 at 03:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Temp\abW9 - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 15:39:35
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.c7da917b\c7da917b.exe [244] 0x85E5CDA0

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\c7da917b]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\c7da917b]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_C7DA917B]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\c7da917b]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\WINDOWS\system32\.c7da917b\c7da917b.exe"
"DisplayName"="Microsoft DDE+ server"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\c7da917b]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\c7da917b]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C7DA917B]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c7da917b]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\WINDOWS\system32\.c7da917b\c7da917b.exe"
"DisplayName"="Microsoft DDE+ server"
"ObjectName"="LocalSystem"

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C91CB98-0E78-405F-54E4-793438C95075}]
"dbngnmimpplffnlfjmikfedpmkihbfllbibcohio"=hex:69,61,6a,6f,6f,61,6f,63,6a,61,70,68,63,70,67,65,66,66,00,00
"cbdgljjbpedbemnnmoaofafaeandckmckdlimm"=hex:69,61,6a,6f,6f,61,6f,63,6a,61,70,68,63,70,67,65,66,66,00,00
"abjinlgidpgiaelkleajbfphgaednnhbak"=hex:61,61,00,00
"maiiaohajgplhcbamfpjdpognm"=hex:61,61,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B4F7BB7B-2994-5E1A-7C45-C00B536C562C}]
"dbmikfaehmiadncffpbepmnmlkkdeghegpfiimii"=hex:69,61,61,63,6d,6c,70,6c,6d,63,67,61,6e,67,68,6a,6e,69,00,00
"cbgmefnpoihegcpbelackenkfcbnjhcddfjbko"=hex:69,61,61,63,6d,6c,70,6c,6d,63,67,61,6e,67,68,6a,6e,69,00,00
"iamikfaehmiadncffp"=hex:61,61,00,00
"hagmefnpoihegcpb"=hex:61,61,00,00
"iaamcohkgoilmgbgkn"=hex:61,61,00,00

scanning hidden files ...

C:\WINDOWS\system32\.c7da917b
C:\WINDOWS\system32\.c7da917b\c7da917b.Aff.config 16412 bytes
C:\WINDOWS\system32\.c7da917b\c7da917b.BR.config 50 bytes
C:\WINDOWS\system32\.c7da917b\c7da917b.core.dll 150016 bytes executable
C:\WINDOWS\system32\.c7da917b\c7da917b.exe 43008 bytes executable
C:\WINDOWS\system32\.c7da917b\c7da917b.GR.config 982 bytes
C:\WINDOWS\system32\.c7da917b\c7da917b.Rdr.config 38476 bytes
C:\WINDOWS\system32\.c7da917b\c7da917b.ServerPlugin.config 45 bytes
C:\WINDOWS\system32\.c7da917b\c7da917b.Sft.config 470 bytes
C:\WINDOWS\Temp\tmp31.tmp.c7da917b.tmp 249856 bytes executable

scan completed successfully
hidden processes: 1
hidden services: 1
hidden files: 10


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Disabled:ActiveSync RAPI Manager"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\BitTyrant\\Azureus.exe"="C:\\Program Files\\BitTyrant\\Azureus.exe:*:Disabled:Azureus"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Disabled:Nero ProductSetup"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe:*:Disabled:Orb"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe:*:Disabled:Orb Stream Client"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe:*:Disabled:OrbTray"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Disabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Disabled:Microsoft Office Outlook"
"C:\\Program Files\\NetZeroVoice\\NZVoice.exe"="C:\\Program Files\\NetZeroVoice\\NZVoice.exe:*:Enabled:NetZero Voice"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe:*:Disabled:Microsoft Broadband Network Utility"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe:*:Disabled:Microsoft Broadband Networking Setup"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe:*:Disabled:Microsoft Broadband Networking Tray"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe:*:Disabled:Microsoft Broadband Networking Update"
"C:\\Program Files\\icuii\\ICUII.exe"="C:\\Program Files\\icuii\\ICUII.exe:*:Disabled:ICUII Video Chat Client"
"C:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe:*:Disabled:Nero ShowTime"
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"="C:\\Program Files\\Motorola\\Software Update\\msu.exe:*:Disabled:msu"
""C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Disabled:mIRC"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Disabled:AIM"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 30 Apr 1998 511,424 A..H. --- "C:\Program Files\CarChip\40COMUPD.EXE"
Tue 7 Jan 2003 16,384 A..H. --- "C:\Program Files\CarChip\Helper.exe"
Tue 27 Feb 2001 995,383 A..H. --- "C:\Program Files\CarChip\MFC42.DLL"
Tue 27 Feb 2001 401,462 A..H. --- "C:\Program Files\CarChip\MSVCP60.DLL"
Tue 27 Feb 2001 254,005 A..H. --- "C:\Program Files\CarChip\MSVCRT.DLL"
Thu 5 Apr 2007 5,355,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007 27,648 ..SH. --- "C:\WINDOWS\system32\Smab0.dll"
Sat 24 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Sat 10 May 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Sat 3 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Mon 3 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Mon 3 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Mon 3 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Thu 20 Mar 2008 5,632 ..SHR --- "C:\Program Files\eRightSoft\SUPER\spk\1stRun.exe"
Fri 18 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:57 PM, on 5/16/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HDDlife.lnk.disabled
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\Common Files\BinarySense\hlAPP.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: joablfqe - joablfqe.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MDOIK - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\MDOIK.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Services Control - FileZilla Project - c:\windows\system32\drivers\services.exe
O23 - Service: Windows smss - Unknown owner - c:\windows\system32\drivers\etc\smss.exe

--
End of file - 7051 bytes

Edited by phxakguy, 17 May 2008 - 01:27 AM.


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 17 May 2008 - 06:05 PM

Hi

Has the computer improved ?

I'd like you to run some more programs for me now ...

Hi

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 phxakguy

phxakguy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 20 May 2008 - 09:27 PM

still working on getting all the logs. thank you again

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 21 May 2008 - 12:57 PM

OK ... but don't leave it too long ...

Malware has a habit of increasing, the longer you leave it ... :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 phxakguy

phxakguy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 22 May 2008 - 12:52 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 7:18:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3311 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 139142
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:53:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\System Volume Information\_restore{30B3485B-A30D-4583-A49F-1C7132FF62C6}\RP40\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\.c7da917b\c7da917b.exe Infected: Trojan-Downloader.Win32.Agent.oyj skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\User Account Pictures\admin.bmp Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\User Account Pictures\guest1.bmp Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\User Account Pictures\Testing.bmp Object is locked skipped

Scan process completed.
Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Quick Scan
Objects scanned: 43440
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1f63b171-e2f3-4362-a484-8563144d62e6} (Adware.WebDir) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windows services control (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\windows services control (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services control (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windows smss (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\windows smss (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows smss (Heuristics.Reserved.Word.Exploit) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\j2 (Adware.TTC) -> No action taken.
C:\WINDOWS\system32\m8 (Trojan.ZQuest) -> No action taken.

Files Infected:
C:\WINDOWS\system32\drivers\services.xml (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\system32\drivers\etc\smss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
ComboFix 08-05-20.4 - admin 2008-05-20 19:39:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.647 [GMT -7:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\c1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-18 14:02 . 2008-05-18 14:03 <DIR> d----c--- C:\i386
2008-05-18 11:56 . 2008-05-20 19:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 11:56 . 2008-05-18 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 11:56 . 2008-05-18 11:56 <DIR> d----c--- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-05-18 11:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 11:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 08:28 . 2008-05-18 08:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-18 08:28 . 2008-05-18 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 19:03 . 2008-05-17 19:03 <DIR> d-------- C:\Program Files\iTunes
2008-05-17 19:03 . 2008-05-17 19:03 <DIR> d-------- C:\Program Files\iPod
2008-05-17 19:03 . 2008-05-17 19:03 <DIR> d-------- C:\Program Files\Bonjour
2008-05-17 19:02 . 2008-05-17 19:02 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-17 18:51 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 18:51 . 2008-05-17 18:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 11:17 . 2008-05-17 11:17 <DIR> d-------- C:\Program Files\Avira
2008-05-16 16:58 . 2008-05-16 17:03 <DIR> d-------- C:\fixwareout
2008-05-16 15:00 . 2008-05-16 15:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-16 14:43 . 2008-05-16 21:05 <DIR> d-------- C:\SDFix
2008-05-15 15:31 . 2008-05-15 15:30 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-15 15:30 . 2008-05-15 15:41 <DIR> d----c--- C:\Documents and Settings\admin\.housecall6.6
2008-05-15 11:52 . 2008-05-15 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-15 01:25 . 2008-05-15 01:25 249,856 --a------ C:\WINDOWS\system32\joablfqea.dll
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\ConverterOutput
2008-05-10 22:22 . 2008-05-10 22:22 <DIR> d-------- C:\Program Files\Cucusoft
2008-05-10 22:15 . <DIR> C:\Documents and Settings\admin\Application Data\NeroDigitalT
2008-05-10 22:10 . 2008-05-10 22:10 <DIR> d-------- C:\Program Files\eRightSoft
2008-05-10 22:10 . 2006-09-12 03:46 227,328 -r-hs---- C:\WINDOWS\system32\ac3DX.ax
2008-05-10 22:10 . 2006-03-10 13:48 169,472 -r-hs---- C:\WINDOWS\system32\MatroskaDX.ax
2008-05-10 22:10 . 2006-05-03 02:06 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2008-05-10 22:10 . 2005-11-25 12:46 161,792 -r-hs---- C:\WINDOWS\system32\RealMediaDX.ax
2008-05-10 22:10 . 2006-01-12 15:23 123,904 -r-hs---- C:\WINDOWS\system32\AVCDX.ax
2008-05-10 22:10 . 2005-02-22 08:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
2008-05-10 22:10 . 2003-11-20 15:00 54,784 -r-hs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-05-10 22:10 . 2004-04-26 15:00 37,888 -r-hs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-05-10 22:10 . 2007-02-21 03:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2008-05-10 22:10 . 2007-12-17 05:43 27,648 ---hs---- C:\WINDOWS\system32\Smab0.dll
2008-05-08 18:56 . 2008-05-08 18:56 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-05-04 13:32 . 2008-05-04 13:32 <DIR> d----c--- C:\Documents and Settings\admin\Application Data\Desktopicon
2008-05-04 13:29 . 2008-05-04 13:29 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-04 13:25 . 2008-05-04 13:27 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 00:58 . 2008-04-23 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-23 00:58 . 2008-04-23 01:41 <DIR> d----c--- C:\Documents and Settings\admin\Application Data\NCH Swift Sound
2008-04-23 00:57 . 2008-04-23 01:41 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-04-23 00:17 . 2008-04-23 00:37 <DIR> d-------- C:\Program Files\Xilisoft
2008-04-21 15:08 . 2008-04-21 15:08 13,144 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 02:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-20 23:59 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-19 05:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-18 19:11 --------- d-----w C:\Program Files\CarChip
2008-05-18 02:04 --------- dc----w C:\Documents and Settings\admin\Application Data\Apple Computer
2008-05-18 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-17 18:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 06:17 --------- d-----w C:\Program Files\WinSpeedUp
2008-05-16 06:13 --------- d-----w C:\Program Files\BitComet
2008-05-16 05:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 01:24 --------- d-----w C:\Program Files\HDDlife
2008-05-15 18:52 --------- d-----w C:\Program Files\Lavasoft
2008-05-15 18:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-15 18:38 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-15 08:52 361,344 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-05-14 06:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 05:29 --------- dc----w C:\Documents and Settings\admin\Application Data\MSN6
2008-05-11 05:15 --------- dc----w C:\Documents and Settings\admin\Application Data\NeroDigital™
2008-05-05 09:17 --------- d-----w C:\Program Files\WM Converter
2008-05-04 20:32 --------- d-----w C:\Program Files\Unlocker
2008-05-04 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-04 05:28 --------- d-----w C:\Program Files\Technitium
2008-04-25 17:52 --------- d-----w C:\Program Files\QuickTime
2008-04-18 23:46 --------- d-----w C:\Program Files\MpcStar
2008-04-18 17:24 --------- dc----w C:\Documents and Settings\admin\Application Data\TigerPlayer
2008-04-16 21:20 --------- d-----w C:\Program Files\Common Files\BinarySense
2008-04-16 21:20 --------- d-----w C:\Program Files\BinarySense
2008-04-16 20:57 --------- d-----w C:\Program Files\CoreCodec
2008-04-16 20:53 --------- dc----w C:\Documents and Settings\admin\Application Data\CoreCodec
2008-04-16 20:52 --------- d-----w C:\Program Files\Haali
2008-04-13 20:38 --------- dc----w C:\Documents and Settings\admin\Application Data\Move Networks
2008-04-12 07:23 361,344 -c--a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-04-10 12:20 --------- dc----w C:\Documents and Settings\admin\Application Data\mIRC
2008-04-10 12:14 --------- d-----w C:\Program Files\mIRC
2008-04-07 13:15 --------- dc----w C:\Documents and Settings\admin\Application Data\Hamachi
2008-04-07 13:05 25,280 -c--a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-07 13:00 --------- d-----w C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-04-02 18:29 --------- dc----w C:\Documents and Settings\admin\Application Data\WinWay
2008-03-24 20:45 359,040 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys.fuk
2008-03-23 00:02 --------- d-----w C:\Program Files\Apple Software Update
2008-03-23 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-22 23:52 --------- d-----w C:\Program Files\Common Files\ASCOM
2008-03-22 23:34 --------- d--h--w C:\Program Files\Zero G Registry
2008-03-22 09:16 --------- d-----w C:\Program Files\Nmap
2008-03-21 19:55 --------- d-----w C:\Program Files\HP
2008-03-21 17:20 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-29 00:38 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 23:14 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-02-22 21:43 24,192 -c--a-w C:\Documents and Settings\admin\usbsermptxp.sys
2008-02-22 21:43 22,768 -c--a-w C:\Documents and Settings\admin\usbsermpt.sys
2007-02-21 09:22 87,608 -c--a-w C:\Documents and Settings\admin\Application Data\ezpinst.exe
2007-02-21 09:22 47,360 -c--a-w C:\Documents and Settings\admin\Application Data\pcouffin.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

------- Sigcheck -------

2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-04-02 12:53 360832 350f103d1f09bffc4be43fb09331c56e C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2007-09-13 00:51 360704 dd520bbed579a2afaf1bb6aff6091e2b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-02-12 10:20 361344 ad075303568ec3b139cec4c22baaecd1 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-05-15 01:52 361344 bdc5191066f57e154595cac22c3be199 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-05-15 01:52 361344 bdc5191066f57e154595cac22c3be199 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-05-05 02:02 2334520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\joablfqe]
joablfqe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"aux1"= ctwdm32.dll
"aux2"= ctwdm32.dll
"aux3"= ctwdm32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Aim6"=
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
"BitComet"="C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ZRebootSetup"=C:\PROGRA~1\USE6FD~1.ROB\US7F1C~1.ROB\Install\Setup.exe SetupRouter
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Downloads3\\Motorola Cable Modem Modification Kits\\ALL Motorola SurfBoard CableModem Firmwares\\cm\\software\\fibercoax\\QUERY.EXE"=
"D:\\Downloads3\\Cable Modem Modification Kit V8.1\\NetBoot.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"C:\\Downloads\\IP.Full.view.English\\IP full view.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\NetZeroVoice\\NZVoice.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:*:Disabled:@xpsp2res.dll,-22017
"10101:TCP"= 10101:TCP:*:Disabled:BitComet 10101 TCP
"10101:UDP"= 10101:UDP:*:Disabled:BitComet 10101 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 hwinterface;Sherman's Hardware Interface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2007-02-26 23:47]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-02-22 01:38]
S2 HDDlife HDD Access service;HDDlife HDD Access service;"C:\Program Files\Common Files\BinarySense\hldasvc.exe" [2008-02-15 14:17]
S3 AdWatchDrv;AW Realtime Driver;C:\WINDOWS\system32\drivers\AWRTPD.sys [2008-04-29 11:19]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 CQX;Susteen Virtual Serial Port Driver;C:\WINDOWS\system32\DRIVERS\CQX.SYS [2003-03-21 09:44]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\islp2nds.sys [2002-10-03 18:07]
S3 MDOIK;MDOIK;C:\DOCUME~1\admin\LOCALS~1\Temp\MDOIK.exe []
S3 MN710-51;Microsoft® Wireless USB 2.0 Adapter;C:\WINDOWS\system32\DRIVERS\MN710-51.sys [2004-01-07 17:04]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 14:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 14:18]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys []
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2008-01-29 18:24]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 19:12]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\admin\MYDOCU~1\WINAIR~1\PEEK5.SYS [2005-11-12 12:00]
S3 WMP11;Instant Wireless PCI Card Driver;C:\WINDOWS\system32\DRIVERS\WMP11NDS.sys []
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 05:44]
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-02-24 16:41]
S4 AntiVirMailService;Avira AntiVir Premium MailGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe" [2008-05-17 11:18]
S4 antivirwebservice;Avira AntiVir Premium WebGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE" [2008-04-09 15:57]
S4 AVEService;Avira AntiVir Premium MailGuard helper service;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe" [2008-02-07 10:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-20 23:55:03 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 19:46:29
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.c7da917b\c7da917b.exe [384] 0x85DEEDA0

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\tmp31.tmp.c7da917b.tmp 249856 bytes executable
C:\WINDOWS\system32\.c7da917b

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\c7da917b]
"ImagePath"="C:\WINDOWS\system32\.c7da917b\c7da917b.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\.c7da917b\c7da917b.core.dll
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-05-20 19:54:50 - machine was rebooted [admin]
ComboFix-quarantined-files.txt 2008-05-21 02:54:21

Pre-Run: 22,410,829,824 bytes free
Post-Run: 22,322,515,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(2)partition(1)\WINDOWS="Windows XP/2003"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

304 --- E O F --- 2008-05-14 06:02:45

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 22 May 2008 - 03:37 PM

Hi

Please run Malwarebytes' Anti-Malware again & this time ....

* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.


Post the new log please ...

THEN...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\joablfqea.dll

Folder::
C:\WINDOWS\system32\.c7da917b

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\c7da917b]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\joablfqe]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Let me know how the computer is running ?

steam

Edited by steamwiz, 22 May 2008 - 03:38 PM.
to correct spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 26 June 2008 - 01:44 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users