Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.monder.gen


  • This topic is locked This topic is locked
14 replies to this topic

#1 Momemeo

Momemeo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 24 May 2008 - 07:34 PM

My internet is running like dial up....internet keeps beind firewalled and i ran a scan with kaspersky and it can delete it..here's my hijackthis log






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:01 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILLA.ORG\SEAMON~1\SEAMON~1.EXE
C:\Hijack This\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.246.69.101:80
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\duqcv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,npwfggh.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\SYSTEM32\khfdbax.dll (file missing)
O2 - BHO: (no name) - {25635215-4CA7-4A89-B173-1E7418C48CD5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {35147A36-6845-4E43-86D5-A594C32051CD} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [iykqw] C:\WINDOWS\system32\mlyxvb.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm172MHUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200004564421
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: khfdbax - khfdbax.dll (file missing)
O20 - Winlogon Notify: __c00F11 - C:\WINDOWS\
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6950 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 25 May 2008 - 08:56 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\duqcv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,npwfggh.exe
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\SYSTEM32\khfdbax.dll (file missing)
O2 - BHO: (no name) - {25635215-4CA7-4A89-B173-1E7418C48CD5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {35147A36-6845-4E43-86D5-A594C32051CD} - C:\WINDOWS\system32\vturs.dll (file missing)
O4 - HKCU\..\Run: [iykqw] C:\WINDOWS\system32\mlyxvb.exe reg_run
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: khfdbax - khfdbax.dll (file missing)
O20 - Winlogon Notify: __c00F11 - C:\WINDOWS\
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)



Reboot your computer.




Please go to this page and scroll down to step 6.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Follow the directions there to run DSS and then post those logs back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Momemeo

Momemeo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 26 May 2008 - 06:06 PM

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 191.48 MiB / 60.05 MiB
Pagefile Memory (total/avail): 464.95 MiB / 260.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.67 MiB

C: is Fixed (NTFS) - 69.3 GiB total, 29.08 GiB free.
D: is Fixed (FAT32) - 5.25 GiB total, 0.76 GiB free.
E: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP0802N - 74.56 GiB - 2 partitions
\PARTITION0 - Unknown - 5.26 GiB - D:
\PARTITION1 (bootable) - Installable File System - 69.3 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: v (McAfee) Disabled
AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Brother\\Brmfl04a\\rms2csv.exe"="C:\\Program Files\\Brother\\Brmfl04a\\rms2csv.exe:68.87.72.130/255.255.255.255,68.87.77.16/255.255.255.255,68.87.77.130/255.255.255.255,69.246.68.1/255.255.255.255,69.246.69.101/255.255.255.255,255.255.254.0/255.255.255.255:Enabled:Address Book Converter"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\kav\\kis\\setup.exe"="C:\\kav\\kis\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\CaReBr 1828.COWART\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COWART
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\CaReBr 1828.COWART
LOGONSERVER=\\COWART
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\PYTHON22;C:\PROGRAM FILES\PC-DOCTOR FOR WINDOWS\;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 28 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=1c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CAREBR~1.COW\LOCALS~1\Temp
TMP=C:\DOCUME~1\CAREBR~1.COW\LOCALS~1\Temp
USERDOMAIN=COWART
USERNAME=CaReBr 1828
USERPROFILE=C:\Documents and Settings\CaReBr 1828.COWART
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

CaReBr 1828.COWART (admin)
Administrator (admin)
Guest.COWART (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Agere Systems PCI Soft Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares 1.9.4 --> "C:\Program Files\Ares\uninstall.exe"
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
BearShare --> C:\PROGRA~1\BEARSH~2\UNWISE.EXE C:\PROGRA~1\BEARSH~2\INSTALL.LOG
Blasterball 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe"
Blasterball 2 Remix from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9\Uninstall.exe"
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Desktop Doctor --> MsiExec.exe /I{D87149B3-7A1D-4548-9CBF-032B791E5908}
Digital Video Camera Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{255ADAEB-BC04-11D5-8467-0050BA1AEF73}\Setup.exe"
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Hijack This\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Firefox\uninstall\helper.exe
Norton Security Center --> MsiExec.exe /X{503AA035-41E2-4858-B31F-1E49AC66C309}
Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"
PC-Doctor for Windows --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA} /l1033
PhotoFiltre --> "C:\Program Files\PhotoFiltre\Uninst.exe"
PhotoScape --> "C:\Program Files\PhotoScape\uninstall.exe"
Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Road Ready Streetwise from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\A2E85A38-C2D9-4EDF-AFDA-F76BCBFEBBC4\Uninstall.exe"
SeaMonkey (1.1.9) --> C:\WINDOWS\SeaMonkeyUninstall.exe /ua "1.1.9 (en)"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shrek 2 Ogre Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BBCBAA5D-AC5A-4098-A53E-EC60A68F38F9\Uninstall.exe"
SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem3.inf
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type9747 / Error
Event Submitted/Written: 05/24/2008 10:05:56 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application winamp.exe, version 5.5.0.1640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type9743 / Error
Event Submitted/Written: 05/24/2008 10:02:46 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application bearshare.exe, version 5.1.0.27, faulting module bearshare.exe, version 5.1.0.27, fault address 0x001ccd63.
Processing media-specific event for [bearshare.exe!ws!]

Event Record #/Type9644 / Warning
Event Submitted/Written: 05/24/2008 04:09:27 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type9642 / Error
Event Submitted/Written: 05/24/2008 04:08:24 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application cammanager.exe, version 1.0.0.0, faulting module avifil32.dll, version 5.1.2600.2180, fault address 0x00005d6a.
Processing media-specific event for [cammanager.exe!ws!]

Event Record #/Type9641 / Error
Event Submitted/Written: 05/24/2008 04:07:03 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application winamp.exe, version 5.5.0.1640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20754 / Error
Event Submitted/Written: 05/26/2008 07:03:24 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type20736 / Error
Event Submitted/Written: 05/26/2008 06:53:18 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The ASCTRM service failed to start due to the following error:
%%2

Event Record #/Type20735 / Error
Event Submitted/Written: 05/26/2008 06:53:18 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Plug and Play Device Manager service failed to start due to the following error:
%%2

Event Record #/Type20708 / Error
Event Submitted/Written: 05/26/2008 06:34:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The ASCTRM service failed to start due to the following error:
%%2

Event Record #/Type20707 / Error
Event Submitted/Written: 05/26/2008 06:34:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Plug and Play Device Manager service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-26 19:04:11 ------------



























Deckard's System Scanner v20071014.68
Run by CaReBr 1828 on 2008-05-26 18:58:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-05-26 22:59:36 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-05-25 00:25:24 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as CaReBr 1828.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:56 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Documents and Settings\CaReBr 1828.COWART\Desktop\DSS.exe
C:\HIJACK~1\CaReBr 1828.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.246.69.101:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm172MHUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200004564421
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5989 bytes

-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20080526-185032-152 O4 - HKCU\..\Run: [iykqw] C:\WINDOWS\system32\mlyxvb.exe reg_run
backup-20080526-185032-221 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\duqcv.exe
backup-20080526-185032-262 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080526-185032-512 O2 - BHO: (no name) - {25635215-4CA7-4A89-B173-1E7418C48CD5} - C:\WINDOWS\system32\ddabx.dll (file missing)
backup-20080526-185032-732 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,npwfggh.exe,
backup-20080526-185032-757 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080526-185032-908 O2 - BHO: (no name) - {35147A36-6845-4E43-86D5-A594C32051CD} - C:\WINDOWS\system32\vturs.dll (file missing)
backup-20080526-185032-957 O20 - Winlogon Notify: khfdbax - khfdbax.dll (file missing)
backup-20080526-185033-553 O20 - Winlogon Notify: __c00F11 - C:\WINDOWS\
backup-20080526-185033-619 O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
backup-20080526-185033-887 O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 $sys$cor - c:\windows\system32\drivers\$sys$cor.sys <Not Verified; First 4 Internet; Essential System Tools>
R1 $sys$crater - c:\windows\system32\$sys$filesystem\crater.sys <Not Verified; First 4 Internet; Essential System Tools>
R1 flpydiskk - c:\windows\system32\drivers\flpydiskk.sys

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 CA500AI (SPCA500A Still Image Capture, Sunplus Version 1.00) - c:\windows\system32\drivers\bulkusb.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 CA500AV (Digital Video Camera(Video)) - c:\windows\system32\drivers\ca500av.sys <Not Verified; Sunplus Corporation; Sunplus® Windows ® Video Capture Driver>
S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys (file missing)
S3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys (file missing)
S3 pnicml - c:\docume~1\carebr~1.cow\locals~1\temp\pnicml.sys (file missing)
S3 smserial - c:\windows\system32\drivers\smserial.sys (file missing)
S3 TnIDriver - c:\docume~1\carebr~1.cow\locals~1\temp\tni6a.tmp (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CD_Proxy (XCP CD Proxy) - c:\windows\cdproxyserv.exe <Not Verified; ; CdProxy Application>

S2 $sys$DRMServer (Plug and Play Device Manager) - c:\windows\system32\$sys$filesystem\$sys$drmserver.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-25 10:06:10 0 d-------- C:\Documents and Settings\Guest.COWART\Application Data\Malwarebytes
2008-05-24 21:51:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:55:12 0 d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Malwarebytes
2008-05-24 20:54:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 20:54:19 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-24 20:53:54 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-24 20:08:58 0 d-------- C:\Hijack This
2008-05-21 21:57:29 0 d-------- C:\Program Files\PhotoScape
2008-05-14 16:29:44 0 d-------- C:\Program Files\mozilla.org
2008-05-10 20:59:38 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-10 20:59:38 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-10 20:55:50 79136 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-10 20:55:50 3851040 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-10 20:55:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-10 20:55:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 20:43:17 0 d-------- C:\kav
2008-05-10 20:18:36 0 d-------- C:\Program Files\WildTangent
2008-05-10 20:14:49 0 d-------- C:\WINDOWS\setup500
2008-05-10 19:10:57 0 d-------- C:\cd83c39c07be82ed79622407051a
2008-05-09 20:06:38 0 d-------- C:\Program Files\Webroot
2008-05-04 10:52:14 8388608 --a------ C:\Documents and Settings\CaReBr 1828.COWART\ntuser.dat
2008-05-04 10:35:39 0 d-------- C:\Program Files\DVP
2008-05-04 10:35:37 69632 --a------ C:\WINDOWS\system32\Vfw500.dll <Not Verified; Sunplus Technology LTD.; VFW500>
2008-05-04 10:35:37 131072 --a------ C:\WINDOWS\system32\Sp5x_32.dll <Not Verified; Microsoft Corporation; Microsoft Windows>
2008-05-04 10:35:36 151820 --a------ C:\WINDOWS\system32\drivers\Ca500av.sys <Not Verified; Sunplus Corporation; Sunplus® Windows ® Video Capture Driver>
2008-05-04 10:35:36 10803 --a------ C:\WINDOWS\system32\drivers\BulkUsb.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
2008-04-29 22:58:28 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>


-- Find3M Report ---------------------------------------------------------------

2008-05-24 21:51:14 0 d-------- C:\Program Files\Common Files
2008-05-24 21:29:26 0 d--hs---- C:\Program Files\outlook
2008-05-24 15:44:37 0 d-------- C:\Program Files\??pPatch
2008-05-24 15:44:37 0 d-------- C:\Program Files\?dobe
2008-05-24 15:44:35 0 d-------- C:\Program Files\Common Files\misc001
2008-05-23 19:30:05 0 d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\AdobeUM
2008-05-21 20:18:51 12922 --a------ C:\Documents and Settings\CaReBr 1828.COWART\Application Data\wklnhst.dat
2008-05-14 16:31:17 118784 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2008-05-14 16:31:16 16104 --a------ C:\WINDOWS\mozver.dat
2008-05-14 16:30:05 118784 --a------ C:\WINDOWS\GREUninstall.exe
2008-05-11 18:56:32 0 d-------- C:\Program Files\Firefox
2008-05-11 16:27:22 0 d-------- C:\Program Files\Movie Maker
2008-05-10 20:42:51 0 d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Move Networks
2008-05-10 20:19:57 0 d-------- C:\Program Files\DivX
2008-05-04 10:35:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 15:44:14 0 d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Apple Computer
2008-04-25 20:39:18 401137 --a------ C:\WINDOWS\system32\g53.exe
2008-04-08 06:45:12 345499 --ahs---- C:\WINDOWS\system32\xbadd.ini2
2008-03-21 15:01:40 53 --a------ C:\WINDOWS\DelToolbox.bat
2008-03-12 21:03:50 2362 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-01 16:48:13 250800 --ahs---- C:\WINDOWS\system32\srutv.ini2
2008-03-01 00:48:02 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-28 12:37:00 86016 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 02:11 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/10/2007 03:16 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddabx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com

62 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 19:04:11 ------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 27 May 2008 - 01:33 PM

Please download this tool and run it.
http://cp.sonybmg.com/xcp/downloads/XCP2_Uninstaller.exe

Once you've run it, make sure to reboot your computer.



Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Momemeo

Momemeo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 29 May 2008 - 04:17 PM

ComboFix 08-05-28.4 - CaReBr 1828 2008-05-29 16:15:55.2 - NTFSx86
Running from: C:\Documents and Settings\CaReBr 1828.COWART\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\ms0307915141962006.exe
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\core.cache(15).dsk
C:\WINDOWS\system32\drivers\core.cache(16).dsk
C:\WINDOWS\system32\drivers\core.cache(17).dsk
C:\WINDOWS\system32\drivers\core.cache(18).dsk
C:\WINDOWS\system32\drivers\core.cache(19).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(20).dsk
C:\WINDOWS\system32\drivers\core.cache(21).dsk
C:\WINDOWS\system32\drivers\core.cache(22).dsk
C:\WINDOWS\system32\drivers\core.cache(23).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\Documents and Settings\CaReBr 1828.COWART\Application Data\FNTS~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\ymante~1
C:\Program Files\dobe~1
C:\Program Files\dobe~1\DOBE~1\ctxad-459.0000
C:\Program Files\dobe~1\DOBE~1\ctxad-459.0001
C:\Program Files\dobe~1\DOBE~1\ctxad-459.0002
C:\Program Files\dobe~1\DOBE~1\ctxad-459.0003
C:\Program Files\dobe~1\DOBE~1\ctxad-459.0004
C:\Program Files\dobe~1\DOBE~1\ctxad-459.0005
C:\Program Files\outlook
C:\Program Files\ppatch~1
C:\Program Files\stem~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM77ec7ee9.xml
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\j?vaw.exe
C:\WINDOWS\curity~1
C:\WINDOWS\dobe~1
C:\WINDOWS\fnts~1
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\pppatc~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem~1
C:\WINDOWS\system32\acbdmdys.ini
C:\WINDOWS\system32\afeiqruj.ini
C:\WINDOWS\system32\agocyshp.ini
C:\WINDOWS\system32\avhvyavt.ini
C:\WINDOWS\system32\avwcqwhs.ini
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\c4\np89104.exe
C:\WINDOWS\system32\cepbalre.ini
C:\WINDOWS\system32\clnlwyjy.ini
C:\WINDOWS\system32\cngeacrs.ini
C:\WINDOWS\system32\colnvvlu.ini
C:\WINDOWS\system32\cvluerxi.ini
C:\WINDOWS\system32\durmhqgk.ini
C:\WINDOWS\system32\fpabbjyx.ini
C:\WINDOWS\system32\fxxdwwbd.ini
C:\WINDOWS\system32\hblmvkiq.ini
C:\WINDOWS\system32\jhjgokyq.ini
C:\WINDOWS\system32\jjfdquby.ini
C:\WINDOWS\system32\jjuapuyg.ini
C:\WINDOWS\system32\jmlcfidq.ini
C:\WINDOWS\system32\jsnfiyga.ini
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\k8\ravecom3.exe
C:\WINDOWS\system32\kxckhtkx.ini
C:\WINDOWS\system32\lerbnfih.ini
C:\WINDOWS\system32\lngjmcvt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mtpbodvu.ini
C:\WINDOWS\system32\mxrtcqrc.ini
C:\WINDOWS\system32\mykmyddx.ini
C:\WINDOWS\system32\n5
C:\WINDOWS\system32\n5\cadend1101.exe
C:\WINDOWS\system32\nuyopjlh.ini
C:\WINDOWS\system32\pfgyvvgk.ini
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pppatc~1\?ppPatch\
C:\WINDOWS\system32\pppatc~1\spoolsv.exe
C:\WINDOWS\system32\qvlobfin.ini
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rexklsmm.ini
C:\WINDOWS\system32\rgvspvfd.ini
C:\WINDOWS\system32\rohmmpag.ini
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\s7\gbsu011.exe
C:\WINDOWS\system32\sbgrxien.ini
C:\WINDOWS\system32\sqyclnbd.ini
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\takubyqr.ini
C:\WINDOWS\system32\tbrfqcxo.ini
C:\WINDOWS\system32\tfrpefdi.ini
C:\WINDOWS\system32\tsbdgaij.ini
C:\WINDOWS\system32\urldcvps.ini
C:\WINDOWS\system32\vmsdbepr.ini
C:\WINDOWS\system32\vphggogn.ini
C:\WINDOWS\system32\wddjwfdt.ini
C:\WINDOWS\system32\x3
C:\WINDOWS\system32\x3\philcom3.exe
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xclxgoyw.ini
C:\WINDOWS\system32\xokocjmj.ini
C:\WINDOWS\system32\xtwbbtol.ini
C:\WINDOWS\system32\yfgawqwx.ini
C:\WINDOWS\system32\yslxrqei.ini
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem~1\?ystem\
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 04:48 . 2008-05-29 04:48 <DIR> d-------- C:\TEMP\tn3
2008-05-26 18:58 . 2008-05-26 18:58 <DIR> d-------- C:\Deckard
2008-05-25 10:06 . 2008-05-25 10:06 <DIR> d-------- C:\Documents and Settings\Guest.COWART\Application Data\Malwarebytes
2008-05-24 21:51 . 2008-05-24 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:55 . 2008-05-24 20:55 <DIR> d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Malwarebytes
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 20:54 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-24 20:54 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-24 20:53 . 2008-05-24 20:53 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-24 20:08 . 2008-05-26 19:02 <DIR> d-------- C:\Hijack This
2008-05-21 21:57 . 2008-05-21 22:12 <DIR> d-------- C:\Program Files\PhotoScape
2008-05-14 16:29 . 2008-05-14 16:29 <DIR> d-------- C:\Program Files\mozilla.org
2008-05-10 20:59 . 2008-05-28 15:40 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-10 20:59 . 2008-05-29 15:30 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-10 20:55 . 2008-05-10 20:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-10 20:55 . 2008-05-29 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 20:55 . 2008-05-29 04:48 4,060,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-10 20:55 . 2008-05-29 04:48 92,960 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-10 20:55 . 2008-05-29 16:21 55,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-10 20:55 . 2008-05-29 16:21 9,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-10 20:43 . 2008-05-10 20:53 <DIR> d-------- C:\kav
2008-05-10 20:18 . 2008-05-10 20:18 <DIR> d-------- C:\Program Files\WildTangent
2008-05-10 20:14 . 2008-05-10 20:14 <DIR> d-------- C:\WINDOWS\setup500
2008-05-10 19:10 . 2008-05-10 20:18 <DIR> d-------- C:\cd83c39c07be82ed79622407051a
2008-05-09 20:06 . 2008-05-09 20:06 <DIR> d-------- C:\Program Files\Webroot
2008-05-04 10:35 . 2008-05-10 20:14 <DIR> d-------- C:\Program Files\DVP
2008-04-29 22:58 . 2008-04-29 22:58 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 08:47 932 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-28 19:43 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c00F186B.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c00BF7F7.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c009B956.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c008772A.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c0045680.dat
2008-05-23 23:30 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\AdobeUM
2008-05-22 00:18 12,922 ----a-w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\wklnhst.dat
2008-05-14 20:31 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-05-14 20:30 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-05-11 22:56 --------- d-----w C:\Program Files\Firefox
2008-05-11 00:42 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Move Networks
2008-05-11 00:19 --------- d-----w C:\Program Files\DivX
2008-05-04 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 19:44 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Apple Computer
2008-04-26 00:39 401,137 ----a-w C:\WINDOWS\system32\g53.exe
2008-04-08 01:49 1,834 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\wklnhst.dat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 01:03 2,362 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-03-01 04:48 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-31 22:11 3,187 ----a-w C:\Program Files\DEISL1.ISU
2006-04-08 01:46 50 ----a-w C:\Program Files\undoupd.bat
2005-06-19 15:02 0 ----a-w C:\Program Files\error.dat
2004-09-17 15:01 65,536 ----a-w C:\Program Files\cmdial32.dll
2002-07-26 22:02 153,088 ----a-w C:\Documents and Settings\All Users\UNWISE.EXE
1998-07-31 20:01 19,904 ----a-w C:\Program Files\_ISREG16.DLL
2007-07-09 23:32 56 --sh--r C:\WINDOWS\system32\2E3AAD982B.sys
2007-07-09 23:32 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-15 04:54:32 C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
----a-w 253,952 2004-10-15 04:54:32 C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\bak\KBD.EXE
----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\kbd.exe

----a-w 49,152 2004-05-25 13:16:56 C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe

----a-w 851,968 2004-07-20 13:34:28 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

----a-w 180,269 2005-01-28 18:44:07 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,632 2007-11-10 19:16:18 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 430,080 2005-10-21 15:40:26 C:\Program Files\Dell Photo AIO Printer 924\bak\dlccmon.exe
----a-w 430,080 2005-10-21 15:40:26 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

----a-w 32,881 2005-01-28 18:26:58 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 32,881 2005-01-28 18:26:58 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

----a-w 98,304 2005-01-28 18:53:39 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-11-15 04:43:10 C:\Program Files\QuickTime\QTTask.exe

----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\Recguard.exe

----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\hpsysdrv.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-10 15:16 185632]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\Program Files\Brother\Brmfl04a\rms2csv.exe"= C:\Program Files\Brother\Brmfl04a\rms2csv.exe:68.87.72.130/255.255.255.255,68.87.77.16/255.255.255.255,68.87.77.130/255.255.255.255,69.246.68.1/255.255.255.255,69.246.69.101/255.255.255.255,255.255.254.0/255.255.255.255:Enabled:Address Book Converter
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 flpydiskk;flpydiskk;C:\WINDOWS\system32\drivers\flpydiskk.sys [2008-03-06 20:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;C:\WINDOWS\system32\Drivers\BULKUSB.sys [2000-10-23 19:04]
S3 CA500AV;Digital Video Camera(Video);C:\WINDOWS\system32\DRIVERS\CA500AV.SYS [2001-10-15 13:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 04:49:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
.
**************************************************************************
.
Completion time: 2008-05-29 5:12:18 - machine was rebooted [CaReBr 1828]
ComboFix-quarantined-files.txt 2008-05-29 09:12:10

Pre-Run: 31,446,020,096 bytes free
Post-Run: 31,430,365,184 bytes free

308 --- E O F --- 2008-05-27 23:01:24

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 30 May 2008 - 02:09 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
flpydiskk

File::
C:\WINDOWS\system32\drivers\flpydiskk.sys
C:\WINDOWS\system32\g53.exe
C:\WINDOWS\system32\drivers\core.cache.dsk

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



======================



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Momemeo

Momemeo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 01 June 2008 - 08:46 PM

ComboFix 08-05-28.4 - CaReBr 1828 2008-06-01 9:05:49.3 - NTFSx86
Running from: C:\Documents and Settings\CaReBr 1828.COWART\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CaReBr 1828.COWART\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\flpydiskk.sys
C:\WINDOWS\system32\g53.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\flpydiskk.sys
C:\WINDOWS\system32\g53.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FLPYDISKK
-------\Service_flpydiskk


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 09:23 . 2005-10-05 06:15 9,728 --a------ C:\WINDOWS\system32\spoolvs.exe
2008-06-01 09:23 . 2005-10-05 06:22 9,728 --a------ C:\WINDOWS\shell.exe
2008-06-01 09:19 . 2008-06-01 09:19 <DIR> d--hs---- C:\found.005
2008-05-26 18:58 . 2008-05-26 18:58 <DIR> d-------- C:\Deckard
2008-05-25 10:06 . 2008-05-25 10:06 <DIR> d-------- C:\Documents and Settings\Guest.COWART\Application Data\Malwarebytes
2008-05-24 21:51 . 2008-05-24 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:55 . 2008-05-24 20:55 <DIR> d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Malwarebytes
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 20:53 . 2008-05-24 20:53 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-24 20:08 . 2008-05-26 19:02 <DIR> d-------- C:\Hijack This
2008-05-21 21:57 . 2008-05-21 22:12 <DIR> d-------- C:\Program Files\PhotoScape
2008-05-14 16:29 . 2008-05-14 16:29 <DIR> d-------- C:\Program Files\mozilla.org
2008-05-10 20:59 . 2008-05-28 15:40 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-10 20:59 . 2008-05-29 15:30 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-10 20:55 . 2008-05-10 20:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-10 20:55 . 2008-06-01 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 20:55 . 2008-06-01 09:27 4,266,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-10 20:55 . 2008-06-01 09:21 101,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-10 20:55 . 2008-06-01 09:12 58,172 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-10 20:55 . 2008-06-01 09:12 10,556 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-10 20:43 . 2008-05-10 20:53 <DIR> d-------- C:\kav
2008-05-10 20:18 . 2008-05-10 20:18 <DIR> d-------- C:\Program Files\WildTangent
2008-05-10 20:14 . 2008-05-10 20:14 <DIR> d-------- C:\WINDOWS\setup500
2008-05-10 19:10 . 2008-05-10 20:18 <DIR> d-------- C:\cd83c39c07be82ed79622407051a
2008-05-09 20:06 . 2008-05-09 20:06 <DIR> d-------- C:\Program Files\Webroot
2008-05-05 16:51 . 2005-10-05 06:15 9,728 --a------ C:\WINDOWS\system32\printer.exe
2008-05-04 10:35 . 2008-05-10 20:14 <DIR> d-------- C:\Program Files\DVP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 19:43 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c00F186B.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c00BF7F7.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c009B956.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c008772A.dat
2008-05-25 02:47 31,808 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\__c0045680.dat
2008-05-23 23:30 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\AdobeUM
2008-05-22 00:18 12,922 ----a-w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\wklnhst.dat
2008-05-14 20:31 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-05-14 20:30 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-05-11 22:56 --------- d-----w C:\Program Files\Firefox
2008-05-11 00:42 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Move Networks
2008-05-11 00:19 --------- d-----w C:\Program Files\DivX
2008-05-04 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 02:58 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-27 19:44 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Apple Computer
2008-04-08 01:49 1,834 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\wklnhst.dat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 01:03 2,362 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-03-01 04:48 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-31 22:11 3,187 ----a-w C:\Program Files\DEISL1.ISU
2006-04-08 01:46 50 ----a-w C:\Program Files\undoupd.bat
2005-06-19 15:02 0 ----a-w C:\Program Files\error.dat
2004-09-17 15:01 65,536 ----a-w C:\Program Files\cmdial32.dll
2002-07-26 22:02 153,088 ----a-w C:\Documents and Settings\All Users\UNWISE.EXE
1998-07-31 20:01 19,904 ----a-w C:\Program Files\_ISREG16.DLL
2007-07-09 23:32 56 --sh--r C:\WINDOWS\system32\2E3AAD982B.sys
2007-07-09 23:32 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_ 5.03.52.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 08:47:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 13:21:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-15 04:54:32 C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
----a-w 253,952 2004-10-15 04:54:32 C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\bak\KBD.EXE
----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\kbd.exe

----a-w 49,152 2004-05-25 13:16:56 C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe

----a-w 851,968 2004-07-20 13:34:28 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

----a-w 180,269 2005-01-28 18:44:07 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,632 2007-11-10 19:16:18 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 430,080 2005-10-21 15:40:26 C:\Program Files\Dell Photo AIO Printer 924\bak\dlccmon.exe
----a-w 430,080 2005-10-21 15:40:26 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

----a-w 32,881 2005-01-28 18:26:58 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 32,881 2005-01-28 18:26:58 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

----a-w 98,304 2005-01-28 18:53:39 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-11-15 04:43:10 C:\Program Files\QuickTime\QTTask.exe

----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\Recguard.exe

----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\hpsysdrv.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" [2005-10-05 10:11 9728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-10 15:16 185632]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
"Printer"="C:\WINDOWS\system32\printer.exe" [2005-10-05 10:11 9728]

C:\Documents and Settings\CaReBr 1828.COWART\Start Menu\Programs\Startup\
findfast.exe [2005-10-05 10:18:55 9728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
autorun.exe [2005-09-07 23:06:46 9728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\\WINDOWS\\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\Program Files\Brother\Brmfl04a\rms2csv.exe"= C:\Program Files\Brother\Brmfl04a\rms2csv.exe:68.87.72.130/255.255.255.255,68.87.77.16/255.255.255.255,68.87.77.130/255.255.255.255,69.246.68.1/255.255.255.255,69.246.69.101/255.255.255.255,255.255.254.0/255.255.255.255:Enabled:Address Book Converter
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=
"C:\\WINDOWS\\system32\\printer.exe"=
"C:\\WINDOWS\\system32\\spoolvs.exe"=
"C:\\WINDOWS\\shell.exe"=
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Start Menu\\Programs\\Startup\\findfast.exe"=
"%windir%\\system32\\winav.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;C:\WINDOWS\system32\Drivers\BULKUSB.sys [2000-10-23 19:04]
S3 CA500AV;Digital Video Camera(Video);C:\WINDOWS\system32\DRIVERS\CA500AV.SYS [2001-10-15 13:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 09:23:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\spoolvs.exe 9728 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mcrupdate.exe1828.COWART\Application Data\mcrupdate.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Microsoft Works\WksDict.exe
.
**************************************************************************
.
Completion time: 2008-06-01 9:42:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 13:42:42
ComboFix2.txt 2008-05-29 09:12:20

Pre-Run: 31,353,344,000 bytes free
Post-Run: 31,375,331,328 bytes free

215 --- E O F --- 2008-05-27 23:01:24

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 02 June 2008 - 08:45 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new combofix log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Momemeo

Momemeo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 02 June 2008 - 06:04 PM

my computer is saying that i'm not the Administrator, should i still continue with this process?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 03 June 2008 - 11:38 AM

Make sure when you enter safe mode, choose the Administrator account to log into. Then run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Momemeo

Momemeo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 06 June 2008 - 04:05 PM

ComboFix 08-05-28.4 - CaReBr 1828 2008-06-06 16:32:56.4 - NTFSx86
Running from: C:\Documents and Settings\CaReBr 1828.COWART\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\ultra
C:\Documents and Settings\Administrator\Application Data\ultra\uninstall.bat
C:\Documents and Settings\Guest.COWART\Application Data\pcpriv.exe
C:\Documents and Settings\Guest.COWART\Application Data\ultra
C:\Program Files\syscmd
C:\Program Files\syscmd\mscmp.inf
C:\Program Files\syscmd\uninstall.bat

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-05 17:51 . 2008-06-05 17:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-05 17:48 . 2008-06-05 18:18 <DIR> d-------- C:\SDFix
2008-06-03 18:00 . 2008-06-03 18:00 <DIR> d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\InterVideo
2008-06-02 06:38 . 2005-10-01 17:08 98,701 --a------ C:\Documents and Settings\Administrator\Application Data\sysdefender.exe
2008-06-01 09:19 . 2008-06-01 09:19 <DIR> d--hs---- C:\found.005
2008-05-26 18:58 . 2008-05-26 18:58 <DIR> d-------- C:\Deckard
2008-05-25 10:06 . 2008-05-25 10:06 <DIR> d-------- C:\Documents and Settings\Guest.COWART\Application Data\Malwarebytes
2008-05-24 21:51 . 2008-05-24 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:55 . 2008-05-24 20:55 <DIR> d-------- C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Malwarebytes
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 20:53 . 2008-05-24 20:53 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-24 20:08 . 2008-05-26 19:02 <DIR> d-------- C:\Hijack This
2008-05-21 21:57 . 2008-05-21 22:12 <DIR> d-------- C:\Program Files\PhotoScape
2008-05-14 16:29 . 2008-05-14 16:29 <DIR> d-------- C:\Program Files\mozilla.org
2008-05-10 20:59 . 2008-05-28 15:40 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-10 20:59 . 2008-05-29 15:30 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-10 20:55 . 2008-05-10 20:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-10 20:55 . 2008-06-06 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 20:55 . 2008-06-06 16:41 4,578,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-10 20:55 . 2008-06-06 16:41 118,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-10 20:55 . 2008-06-05 18:26 61,676 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-10 20:55 . 2008-06-05 18:26 11,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-10 20:43 . 2008-05-10 20:53 <DIR> d-------- C:\kav
2008-05-10 20:18 . 2008-05-10 20:18 <DIR> d-------- C:\Program Files\WildTangent
2008-05-10 20:14 . 2008-05-10 20:14 <DIR> d-------- C:\WINDOWS\setup500
2008-05-10 19:10 . 2008-05-10 20:18 <DIR> d-------- C:\cd83c39c07be82ed79622407051a
2008-05-09 20:06 . 2008-05-09 20:06 <DIR> d-------- C:\Program Files\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 21:40 2,116 ----a-w C:\Documents and Settings\Guest.COWART\Application Data\wklnhst.dat
2008-06-02 23:31 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-01 15:00 13,080 ----a-w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\wklnhst.dat
2008-05-28 19:43 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-23 23:30 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\AdobeUM
2008-05-14 20:31 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-05-14 20:30 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-05-11 22:56 --------- d-----w C:\Program Files\Firefox
2008-05-11 00:42 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Move Networks
2008-05-11 00:19 --------- d-----w C:\Program Files\DivX
2008-05-11 00:14 --------- d-----w C:\Program Files\DVP
2008-05-04 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 02:58 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-27 19:44 --------- d-----w C:\Documents and Settings\CaReBr 1828.COWART\Application Data\Apple Computer
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 01:03 2,362 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-31 22:11 3,187 ----a-w C:\Program Files\DEISL1.ISU
2006-04-08 01:46 50 ----a-w C:\Program Files\undoupd.bat
2005-06-19 15:02 0 ----a-w C:\Program Files\error.dat
2004-09-17 15:01 65,536 ----a-w C:\Program Files\cmdial32.dll
2002-07-26 22:02 153,088 ----a-w C:\Documents and Settings\All Users\UNWISE.EXE
1998-07-31 20:01 19,904 ----a-w C:\Program Files\_ISREG16.DLL
2007-07-09 23:32 56 --sh--r C:\WINDOWS\system32\2E3AAD982B.sys
2007-07-09 23:32 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_ 5.03.52.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 08:47:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 20:15:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 14:42:39 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-05 21:51:50 8,323,072 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-06-05 21:51:50 86,016 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-05 14:42:39 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-05 21:51:47 8,323,072 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-06-05 21:51:47 86,016 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-05-29 20:07:59 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-03 19:55:06 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-29 20:07:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-03 19:55:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-29 20:07:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-03 19:55:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-15 04:54:32 C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
----a-w 253,952 2004-10-15 04:54:32 C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\bak\KBD.EXE
----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\kbd.exe

----a-w 49,152 2004-05-25 13:16:56 C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe

----a-w 851,968 2004-07-20 13:34:28 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

----a-w 180,269 2005-01-28 18:44:07 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,632 2007-11-10 19:16:18 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 430,080 2005-10-21 15:40:26 C:\Program Files\Dell Photo AIO Printer 924\bak\dlccmon.exe
----a-w 430,080 2005-10-21 15:40:26 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

----a-w 32,881 2005-01-28 18:26:58 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 32,881 2005-01-28 18:26:58 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

----a-w 98,304 2005-01-28 18:53:39 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-11-15 04:43:10 C:\Program Files\QuickTime\QTTask.exe

----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\Recguard.exe

----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\hpsysdrv.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-10 15:16 185632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\Program Files\Brother\Brmfl04a\rms2csv.exe"= C:\Program Files\Brother\Brmfl04a\rms2csv.exe:68.87.72.130/255.255.255.255,68.87.77.16/255.255.255.255,68.87.77.130/255.255.255.255,69.246.68.1/255.255.255.255,69.246.69.101/255.255.255.255,255.255.254.0/255.255.255.255:Enabled:Address Book Converter
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;C:\WINDOWS\system32\Drivers\BULKUSB.sys [2000-10-23 19:04]
S3 CA500AV;Digital Video Camera(Video);C:\WINDOWS\system32\DRIVERS\CA500AV.SYS [2001-10-15 13:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 16:42:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 16:49:04
ComboFix-quarantined-files.txt 2008-06-06 20:48:59
ComboFix2.txt 2008-06-01 13:42:53
ComboFix3.txt 2008-05-29 09:12:20

Pre-Run: 31,296,430,080 bytes free
Post-Run: 31,345,766,400 bytes free

170 --- E O F --- 2008-05-27 23:01:24







SDFix: Version 1.188
Run by CaReBr 1828 on Thu 06/05/2008 at 05:55 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\FINDFAST.EXE - Deleted
C:\DOCUME~1\GUEST~1.COW\STARTM~1\PROGRAMS\STARTUP\FINDFAST.EXE - Deleted
C:\Documents and Settings\CaReBr 1828.COWART\Application Data\ultra\uninstall.bat - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\CaReBr 1828.COWART\Application Data\sysdefender.exe - Deleted
C:\WINDOWS\inf\ultra.inf - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\mcrupdate.exe - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted
C:\WINDOWS\system32\xlibgfl254.dll - Deleted



Folder C:\Documents and Settings\CaReBr 1828.COWART\Application Data\ultra - Removed
Folder C:\Program Files\SystemDefender - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 18:14:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\Program Files\\Brother\\Brmfl04a\\rms2csv.exe"="C:\\Program Files\\Brother\\Brmfl04a\\rms2csv.exe:68.87.72.130/255.255.255.255,68.87.77.16/255.255.255.255,68.87.77.130/255.255.255.255,69.246.68.1/255.255.255.255,69.246.69.101/255.255.255.255,255.255.254.0/255.255.255.255:Enabled:Address Book Converter"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\kav\\kis\\setup.exe"="C:\\kav\\kis\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\CaReBr 1828.COWART\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\CaReBr 1828.COWART\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\CaReBr 1828.COWART\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 12 Jun 2007 213 A.SHR --- "C:\BOOT.BAK"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 9 Jul 2007 56 ..SHR --- "C:\WINDOWS\system32\2E3AAD982B.sys"
Mon 9 Jul 2007 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 25 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 6 Nov 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Mon 1 Jan 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 10 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Mon 5 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 9 Jul 2007 7,423,960 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\02ec37ec946ef377971d8300cdcd818f\BIT94.tmp"
Tue 10 Jul 2007 2,388,288 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0b8f54b7625d6446acebabe800ef0126\BITB0.tmp"
Tue 10 Jul 2007 791,888 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e61eb2bda5dda528a8686f8905497f\BITC3.tmp"
Tue 26 Jun 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3226ed0a8904ae940c1794b1cd8b325\BIT69.tmp"
Tue 6 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT6.tmp"
Mon 5 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT89.tmp"
Wed 28 Feb 2007 0 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\3hd24hbw.TMP"
Thu 25 Jan 2007 0 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\b1n4o4wk.TMP"
Fri 26 Jan 2007 0 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\n3km8j8q.TMP"
Mon 11 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 09 June 2008 - 06:26 AM

How is your computer behaving now?
Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Momemeo

Momemeo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Lansing, MI
  • Local time:03:36 PM

Posted 11 June 2008 - 12:42 PM

it's much better than before





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:47 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.246.69.101:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm172MHUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200004564421
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5722 bytes

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 12 June 2008 - 02:34 PM

Your log is clean! :)


Let's get rid of Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"

=================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:36 PM

Posted 23 June 2008 - 04:04 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users