Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh No! I'm Infected. Please Help.


  • This topic is locked This topic is locked
11 replies to this topic

#1 sugarbunny

sugarbunny

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 27 May 2008 - 08:25 AM

My pc is running extremely slow. I think it's infected with either trojan, malware or virus, but I don't what. The internet runs in the background without my knowledge. It directs to some weird chinese site description which appears to be porn in nature. I can't close it :thumbsup: It is seriously crashing the memory. Please take a look and help me. Thank you very much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:04 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: swsxachu.dll - {13FD5987-65D2-C58D-D87E-987451F12531} - C:\WINDOWS\system32\swsxachu.dll
O2 - BHO: jkhxaklo.dll - {14698742-2059-3025-9058-954023874141} - C:\WINDOWS\system32\jkhxaklo.dll
O2 - BHO: nhmxajkl.dll - {17AC9076-C898-B098-D098-A18319080971} - C:\WINDOWS\system32\nhmxajkl.dll
O2 - BHO: (no name) - {1AB1F65A-964F-4AE7-B254-05146A0E602E} - C:\Program Files\Internet Explorer\PLUGINS\WinSys16.Sys
O2 - BHO: apsgajba.dll - {1FD45A54-9875-698F-E56E-65102358FDF1} - C:\WINDOWS\system32\apsgajba.dll
O2 - BHO: skqnbbib.dll - {22023698-6984-8541-9654-698745012522} - C:\WINDOWS\system32\skqnbbib.dll
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll
O2 - BHO: cdwsbkop.dll - {2A095412-A568-B258-C587-D148E148F0A2} - C:\WINDOWS\system32\cdwsbkop.dll
O2 - BHO: apzhbtde.dll - {2D698451-2015-6358-9871-2015987452D2} - C:\WINDOWS\system32\apzhbtde.dll
O2 - BHO: apfobdet.dll - {2E035987-F585-68D1-AC28-98FA58E459E2} - C:\WINDOWS\system32\apfobdet.dll
O2 - BHO: apsgbjba.dll - {2FD45A54-9875-698F-E56E-65102358FDF2} - C:\WINDOWS\system32\apsgbjba.dll
O2 - BHO: pjjxcdwd.dll - {34FAE856-AD58-20CB-A025-CD4895FA6E43} - C:\WINDOWS\system32\pjjxcdwd.dll
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll
O2 - BHO: mpwdcapi.dll - {35694105-5108-9405-3695-954187462153} - C:\WINDOWS\system32\mpwdcapi.dll
O2 - BHO: lofscjbo.dll - {370165F1-9F65-569F-F895-F14F58F41073} - C:\WINDOWS\system32\lofscjbo.dll
O2 - BHO: mndscsrv.dll - {37FD640A-158F-48AC-FD14-1597F14A9773} - C:\WINDOWS\system32\mndscsrv.dll
O2 - BHO: zycbcime.dll - {3A698102-5904-AFD0-20DF-CD1A65829CA3} - C:\WINDOWS\system32\zycbcime.dll
O2 - BHO: mndhcdwd.dll - {3C648541-1025-9650-9057-6541258720C3} - C:\WINDOWS\system32\mndhcdwd.dll
O2 - BHO: zptlbsys.dll - {40940F85-F015-14F1-A05F-F69858AC6D04} - C:\WINDOWS\system32\zptlbsys.dll
O2 - BHO: mpmydapi.dll - {4629FF4F-ACDB-5C90-A098-FACB3456A264} - C:\WINDOWS\system32\mpmydapi.dll
O2 - BHO: ozfydbyt.dll - {4A069845-2036-6084-9054-6087502480A4} - C:\WINDOWS\system32\ozfydbyt.dll
O2 - BHO: mnmhdsrv.dll - {4C8D1401-A58D-A81C-CD24-A5915C4517C4} - C:\WINDOWS\system32\mnmhdsrv.dll
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll
O2 - BHO: zywmeime.dll - {5319A1F1-9410-9654-3201-345FFA349135} - C:\WINDOWS\system32\zywmeime.dll
O2 - BHO: mndsesrv.dll - {57FD640A-158F-48AC-FD14-1597F14A9775} - C:\WINDOWS\system32\mndsesrv.dll
O2 - BHO: oohxdbyt.dll - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} - C:\WINDOWS\system32\oohxdbyt.dll
O2 - BHO: zxmscwin.dll - {6A041F13-A111-12A3-B0CF-F99818AA68A6} - C:\WINDOWS\system32\zxmscwin.dll
O2 - BHO: mnmhfsrv.dll - {6C8D1401-A58D-A81C-CD24-A5915C4517C6} - C:\WINDOWS\system32\mnmhfsrv.dll
O2 - BHO: ypcqfhlp.dll - {70AF1289-F140-A140-D012-C1458759FC07} - C:\WINDOWS\system32\ypcqfhlp.dll
O2 - BHO: yzztgmsn.dll - {7490415F-65F8-B5C5-D8BA-9405FB120547} - C:\WINDOWS\system32\yzztgmsn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ypdjfbmp.dll - {81954FAC-1023-154F-895A-1458258AD818} - C:\WINDOWS\system32\ypdjfbmp.dll
O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\system32\yxfhcjpg.dll
O2 - BHO: yzzthmsn.dll - {8490415F-65F8-B5C5-D8BA-9405FB120548} - C:\WINDOWS\system32\yzzthmsn.dll
O2 - BHO: zyzxhime.dll - {8A59145F-315D-BC23-AC1F-145DF81A34A8} - C:\WINDOWS\system32\zyzxhime.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: zxptejpg.dll - {91698482-6555-3666-1222-954784129019} - C:\WINDOWS\system32\zxptejpg.dll
O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201899453.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS\351677M.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: TruePass EPF 7,0,100,739 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O20 - AppInit_DLLs: ghjdtry.dll,dgxsrr.dll,fdght.dll,rgghjj.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,hktrre.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,fghshj.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,sperls.dll,,nhmxajkl.dll
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - Unknown owner - C:\Program Files\F-Secure Internet Security\fswsclds.exe (file missing)

--
End of file - 9494 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:37 AM

Posted 31 May 2008 - 01:39 AM

Hello sugarbunny,

Welcome to Bleeping Computer :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: swsxachu.dll - {13FD5987-65D2-C58D-D87E-987451F12531} - C:\WINDOWS\system32\swsxachu.dll
O2 - BHO: jkhxaklo.dll - {14698742-2059-3025-9058-954023874141} - C:\WINDOWS\system32\jkhxaklo.dll
O2 - BHO: nhmxajkl.dll - {17AC9076-C898-B098-D098-A18319080971} - C:\WINDOWS\system32\nhmxajkl.dll
O2 - BHO: (no name) - {1AB1F65A-964F-4AE7-B254-05146A0E602E} - C:\Program Files\Internet Explorer\PLUGINS\WinSys16.Sys
O2 - BHO: apsgajba.dll - {1FD45A54-9875-698F-E56E-65102358FDF1} - C:\WINDOWS\system32\apsgajba.dll
O2 - BHO: skqnbbib.dll - {22023698-6984-8541-9654-698745012522} - C:\WINDOWS\system32\skqnbbib.dll
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll
O2 - BHO: cdwsbkop.dll - {2A095412-A568-B258-C587-D148E148F0A2} - C:\WINDOWS\system32\cdwsbkop.dll
O2 - BHO: apzhbtde.dll - {2D698451-2015-6358-9871-2015987452D2} - C:\WINDOWS\system32\apzhbtde.dll
O2 - BHO: apfobdet.dll - {2E035987-F585-68D1-AC28-98FA58E459E2} - C:\WINDOWS\system32\apfobdet.dll
O2 - BHO: apsgbjba.dll - {2FD45A54-9875-698F-E56E-65102358FDF2} - C:\WINDOWS\system32\apsgbjba.dll
O2 - BHO: pjjxcdwd.dll - {34FAE856-AD58-20CB-A025-CD4895FA6E43} - C:\WINDOWS\system32\pjjxcdwd.dll
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll
O2 - BHO: mpwdcapi.dll - {35694105-5108-9405-3695-954187462153} - C:\WINDOWS\system32\mpwdcapi.dll
O2 - BHO: lofscjbo.dll - {370165F1-9F65-569F-F895-F14F58F41073} - C:\WINDOWS\system32\lofscjbo.dll
O2 - BHO: mndscsrv.dll - {37FD640A-158F-48AC-FD14-1597F14A9773} - C:\WINDOWS\system32\mndscsrv.dll
O2 - BHO: zycbcime.dll - {3A698102-5904-AFD0-20DF-CD1A65829CA3} - C:\WINDOWS\system32\zycbcime.dll
O2 - BHO: mndhcdwd.dll - {3C648541-1025-9650-9057-6541258720C3} - C:\WINDOWS\system32\mndhcdwd.dll
O2 - BHO: zptlbsys.dll - {40940F85-F015-14F1-A05F-F69858AC6D04} - C:\WINDOWS\system32\zptlbsys.dll
O2 - BHO: mpmydapi.dll - {4629FF4F-ACDB-5C90-A098-FACB3456A264} - C:\WINDOWS\system32\mpmydapi.dll
O2 - BHO: ozfydbyt.dll - {4A069845-2036-6084-9054-6087502480A4} - C:\WINDOWS\system32\ozfydbyt.dll
O2 - BHO: mnmhdsrv.dll - {4C8D1401-A58D-A81C-CD24-A5915C4517C4} - C:\WINDOWS\system32\mnmhdsrv.dll
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll
O2 - BHO: zywmeime.dll - {5319A1F1-9410-9654-3201-345FFA349135} - C:\WINDOWS\system32\zywmeime.dll
O2 - BHO: mndsesrv.dll - {57FD640A-158F-48AC-FD14-1597F14A9775} - C:\WINDOWS\system32\mndsesrv.dll
O2 - BHO: oohxdbyt.dll - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} - C:\WINDOWS\system32\oohxdbyt.dll
O2 - BHO: zxmscwin.dll - {6A041F13-A111-12A3-B0CF-F99818AA68A6} - C:\WINDOWS\system32\zxmscwin.dll
O2 - BHO: mnmhfsrv.dll - {6C8D1401-A58D-A81C-CD24-A5915C4517C6} - C:\WINDOWS\system32\mnmhfsrv.dll
O2 - BHO: ypcqfhlp.dll - {70AF1289-F140-A140-D012-C1458759FC07} - C:\WINDOWS\system32\ypcqfhlp.dll
O2 - BHO: yzztgmsn.dll - {7490415F-65F8-B5C5-D8BA-9405FB120547} - C:\WINDOWS\system32\yzztgmsn.dll
O2 - BHO: ypdjfbmp.dll - {81954FAC-1023-154F-895A-1458258AD818} - C:\WINDOWS\system32\ypdjfbmp.dll
O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\system32\yxfhcjpg.dll
O2 - BHO: yzzthmsn.dll - {8490415F-65F8-B5C5-D8BA-9405FB120548} - C:\WINDOWS\system32\yzzthmsn.dll
O2 - BHO: zyzxhime.dll - {8A59145F-315D-BC23-AC1F-145DF81A34A8} - C:\WINDOWS\system32\zyzxhime.dll
O2 - BHO: zxptejpg.dll - {91698482-6555-3666-1222-954784129019} - C:\WINDOWS\system32\zxptejpg.dll
O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201899453.dll (file missing)
O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS\351677M.exe
O20 - AppInit_DLLs: ghjdtry.dll,dgxsrr.dll,fdght.dll,rgghjj.dll,sefawe.dll,frntrn.dll,qrhhb.dll,drgh
.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lari


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 sugarbunny

sugarbunny
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 04 June 2008 - 10:39 PM

hi,

I got impatient and tried to fix the problem on my own. I used the restore point and deleted some files with hijackthis. Here's the new scan. I hope the scan is clean. Thank you very much!

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:08 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Documents and Settings\Jared\Application Data\U3\0000162152748155\LaunchPad.exe
C:\Documents and Settings\Jared\Application Data\U3\0000162152748155\285E6953-BF3C-4445-9376-3FE5D7F645B2\Exec\bin\SignupShield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Jared\Desktop\runescape.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.olg.ca/lotteries/games/howtoplay.do?game=lotto649
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: TruePass EPF 7,0,100,739 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - Unknown owner - C:\Program Files\F-Secure Internet Security\fswsclds.exe (file missing)

--
End of file - 4787 bytes

#4 sugarbunny

sugarbunny
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 05 June 2008 - 11:18 AM

Here's combofix log

ComboFix 08-06-04.3 - Jared 2008-06-04 22:45:39.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.18 [GMT -6:00]
Running from: C:\Documents and Settings\Jared\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Internet Explorer\IEXPLORE32.jmp
C:\Program Files\internet explorer\plugins\SysWin16.Jmp
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-05-29 03:52 . 2008-05-29 03:52 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Paretologic
2008-05-27 11:13 . 2008-05-27 12:00 9,956 --a------ C:\WINDOWS\SYSTEM32\muqb9.exe
2008-05-27 10:12 . 2008-05-27 11:13 9,955 --a------ C:\WINDOWS\SYSTEM32\xrzh8.exe
2008-05-27 10:11 . 2008-05-27 10:12 9,954 --a------ C:\WINDOWS\SYSTEM32\svdc7.exe
2008-05-27 10:02 . 2008-05-27 10:08 14,334 --a------ C:\WINDOWS\SYSTEM32\nyhq0.exe
2008-05-27 10:02 . 2008-05-27 10:02 903 --a------ C:\tmp.dat
2008-05-27 10:00 . 2007-06-13 03:23 1,033,216 --a------ C:\WINDOWS\atixxx.exe
2008-05-27 09:03 . 2008-05-27 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-27 02:50 . 2008-05-27 02:49 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-27 02:48 . 2008-05-27 02:48 <DIR> d-------- C:\Documents and Settings\Jared\.housecall6.6
2008-05-20 15:27 . 2008-05-20 15:27 <DIR> d--hs---- C:\FOUND.011
2008-05-08 21:46 . 2008-05-08 21:46 <DIR> d--hs---- C:\FOUND.010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 05:49 --------- d-----w C:\Program Files\Movkit
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-27 05:54 499,402 ----a-w C:\WINDOWS\JAVA\Packages\X7VPZPZZ.ZIP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2007-11-09 16:11 113 ----a-w C:\Program Files\Yahoo!
2007-05-10 07:19 0 ----a-w C:\Program Files\itiA.tmp
2005-05-17 04:00 1,621 ----a-w C:\Documents and Settings\Jared\Application Data\D - HITACHI - DVD-ROM GD-7500 - 0005.dat
2003-07-28 12:15 722 ----a-w C:\Program Files\INSTALL.LOG
2003-07-21 20:36 266 --sh--w C:\Program Files\desktop.ini
2003-07-21 20:36 11,079 ---h--w C:\Program Files\folder.htt
2005-03-27 00:04 56 --sh--r C:\WINDOWS\SYSTEM32\77C59E9850.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 20:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-11-28 15:29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-11-28 15:29 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\RealPlay.exe"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8124:TCP"= 8124:TCP:MasalaMate

R3 S3Inc;S3Inc;C:\WINDOWS\system32\DRIVERS\s3mini.sys [2000-02-15 10:19]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\system32\DRIVERS\SMC1211.SYS [2001-07-11 11:06]
S2 Fswsclds;F-Secure Windows Security Center Legacy Detection Service;C:\Program Files\F-Secure Internet Security\fswsclds.exe []
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e163b70-61a1-11dc-a3b3-0004e202e6e8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 08:00:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-27 08:00:10 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:50:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 22:52:08
ComboFix-quarantined-files.txt 2008-06-05 04:52:04

Pre-Run: 2,529,820,672 bytes free
Post-Run: 2,715,877,376 bytes free

104 --- E O F --- 2008-06-01 18:30:21

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:37 AM

Posted 05 June 2008 - 12:17 PM

Hello,

Thanks you.....and a new HijackThis log please? How is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 sugarbunny

sugarbunny
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 07 June 2008 - 07:48 PM

here's my latest hijackthis log. It's running smooth now. Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:37 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.olg.ca/lotteries/games/howtoplay.do?game=lotto649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: TruePass EPF 7,0,100,739 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - Unknown owner - C:\Program Files\F-Secure Internet Security\fswsclds.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5096 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:37 AM

Posted 08 June 2008 - 09:41 PM

Hello,

Great to know. :thumbsup: Still a bit to do though :

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\SYSTEM32\muqb9.exe
C:\WINDOWS\SYSTEM32\xrzh8.exe
C:\WINDOWS\SYSTEM32\svdc7.exe
C:\WINDOWS\SYSTEM32\nyhq0.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 sugarbunny

sugarbunny
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 16 June 2008 - 12:42 AM

Here's combofix .

ComboFix 08-06-15.4 - Jared 2008-06-15 23:21:42.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.19 [GMT -6:00]
Running from: C:\Documents and Settings\Jared\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jared\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\muqb9.exe
C:\WINDOWS\SYSTEM32\nyhq0.exe
C:\WINDOWS\SYSTEM32\svdc7.exe
C:\WINDOWS\SYSTEM32\xrzh8.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\muqb9.exe
C:\WINDOWS\SYSTEM32\nyhq0.exe
C:\WINDOWS\SYSTEM32\svdc7.exe
C:\WINDOWS\SYSTEM32\xrzh8.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 23:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-15 23:10 . 2008-06-15 23:10 <DIR> d-------- C:\Program Files\Java
2008-06-15 23:10 . 2008-06-15 23:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-15 23:03 . 2008-06-15 23:03 0 --a------ C:\WINDOWS\SYSTEM32\REN11.tmp
2008-06-15 23:03 . 2008-06-15 23:03 0 --a------ C:\WINDOWS\SYSTEM32\REN10.tmp
2008-06-11 19:28 . 2008-04-14 05:01 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-06 18:44 . 2008-06-06 18:44 <DIR> d-------- C:\Program Files\ThreatFire
2008-06-06 18:44 . 2008-06-06 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-06 18:44 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfFsMon.sys
2008-06-06 18:44 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfSysMon.sys
2008-06-06 18:44 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfNetMon.sys
2008-06-06 18:44 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfKbMon.sys
2008-05-29 03:52 . 2008-05-29 03:52 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Paretologic
2008-05-27 10:02 . 2008-05-27 10:02 903 --a------ C:\tmp.dat
2008-05-27 09:03 . 2008-05-27 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-27 02:50 . 2008-05-27 02:49 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-27 02:48 . 2008-05-27 02:48 <DIR> d-------- C:\Documents and Settings\Jared\.housecall6.6
2008-05-20 15:27 . 2008-05-20 15:27 <DIR> d--hs---- C:\FOUND.011

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-24 04:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-04-20 05:49 --------- d-----w C:\Program Files\Movkit
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-27 05:54 499,402 ----a-w C:\WINDOWS\JAVA\Packages\X7VPZPZZ.ZIP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2007-11-09 16:11 113 ----a-w C:\Program Files\Yahoo!
2007-05-10 07:19 0 ----a-w C:\Program Files\itiA.tmp
2005-05-17 04:00 1,621 ----a-w C:\Documents and Settings\Jared\Application Data\D - HITACHI - DVD-ROM GD-7500 - 0005.dat
2003-07-28 12:15 722 ----a-w C:\Program Files\INSTALL.LOG
2003-07-21 20:36 266 --sh--w C:\Program Files\desktop.ini
2003-07-21 20:36 11,079 ---h--w C:\Program Files\folder.htt
2005-03-27 00:04 56 --sh--r C:\WINDOWS\SYSTEM32\77C59E9850.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_22.51.39.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 00:22:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 05:06:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:22 347,136 ------w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:22 214,528 ------w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:22 63,488 ------w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:24 70,656 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:26 267,776 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:52 13,824 ------w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 ------w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-02 00:36:30 3,591,680 ------w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:30 44,544 ------w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:30 105,984 ------w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:32 826,368 ------w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
- 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:22 214,528 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
- 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
- 2008-03-01 13:06:22 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
- 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
- 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
- 2008-03-01 13:06:26 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
- 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
- 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
- 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
- 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
- 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
- 2008-03-01 13:06:30 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
+ 2008-04-23 04:16:30 1,159,680 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
+ 2008-04-23 04:16:30 233,472 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
- 2008-03-01 13:06:32 826,368 ------w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
+ 2008-04-23 04:16:30 826,368 ------w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
- 2004-08-04 06:10:38 274,304 ------w C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
- 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2008-03-01 13:06:22 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-03-01 13:06:22 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2008-02-29 08:55:24 70,656 ------w C:\WINDOWS\SYSTEM32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ------w C:\WINDOWS\SYSTEM32\ie4uinit.exe
- 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\SYSTEM32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\SYSTEM32\ieakeng.dll
- 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\SYSTEM32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\SYSTEM32\ieaksie.dll
- 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\SYSTEM32\ieakui.dll
+ 2008-04-20 05:07:52 161,792 ------w C:\WINDOWS\SYSTEM32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\SYSTEM32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\SYSTEM32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\SYSTEM32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\SYSTEM32\iernonce.dll
- 2008-03-01 13:06:26 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
- 2008-02-22 10:00:52 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2007-11-28 21:29:40 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 07:28:40 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2007-11-28 21:29:40 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 07:28:44 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2007-11-28 21:29:40 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-03-25 08:37:02 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FlashUtil9f.exe
- 2008-02-08 16:14:10 74,137 ----a-w C:\WINDOWS\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
+ 2008-06-07 21:55:36 74,137 ----a-w C:\WINDOWS\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-05-29 23:35:12 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2008-03-02 00:36:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-24 04:16:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\SYSTEM32\mstime.dll
- 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\SYSTEM32\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\SYSTEM32\occache.dll
- 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2007-10-08 20:46:18 14,640 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:52 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2008-03-01 13:06:30 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-23 04:16:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
+ 2008-04-23 04:16:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
- 2008-03-01 13:06:32 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-23 04:16:30 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2006-12-02 04:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 04:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 04:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 04:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 20:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\RealPlay.exe"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8124:TCP"= 8124:TCP:MasalaMate

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 S3Inc;S3Inc;C:\WINDOWS\system32\DRIVERS\s3mini.sys [2000-02-15 10:19]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\system32\DRIVERS\SMC1211.SYS [2001-07-11 11:06]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S2 Fswsclds;F-Secure Windows Security Center Legacy Detection Service;C:\Program Files\F-Secure Internet Security\fswsclds.exe []
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 08:00:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-27 08:00:10 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 23:31:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-15 23:34:20
ComboFix-quarantined-files.txt 2008-06-16 05:34:12
ComboFix2.txt 2008-06-05 04:52:12

Pre-Run: 2,122,301,440 bytes free
Post-Run: 2,363,064,320 bytes free

290 --- E O F --- 2008-06-13 06:37:51


......and hijackthis log. Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:32 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.olg.ca/lotteries/games/howtoplay.do?game=lotto649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: TruePass EPF 7,0,100,739 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - Unknown owner - C:\Program Files\F-Secure Internet Security\fswsclds.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5062 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:37 AM

Posted 16 June 2008 - 11:16 AM

Hello,

You're welcome. :thumbsup:

I notice that you do not seem to be running Antivirus software. This is somewhat suicidal in today's digital world. That's why I want you to install one!!
Avira OR Avast are good FREE antivirus.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I see you updated your Java, but did you uninstall the old versions? I still see reference to a VERY old version in your latest log.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 sugarbunny

sugarbunny
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 18 June 2008 - 09:48 PM

Yes I have antivirus software. It's called threatfire and yes I did uninstall the old java and then installed the new one. I have no idea why it's still there and I notice that sometimes the java update reminder popped up saying there's new update to install, but when I click it, it says my java is already up to date. Thank you.

Edited by sugarbunny, 19 June 2008 - 12:55 AM.


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:37 AM

Posted 28 June 2008 - 10:44 AM

Hello,

I apologize for my absence the last several days. :thumbsup: I've been sick. I'm just now able to sit and concentrate on logs.

How is it running now please? If you would, please post a new HijackThis log. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:37 AM

Posted 04 July 2008 - 10:09 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users