Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.cyberlog-x "critical System Warning!" Popup.


  • This topic is locked This topic is locked
2 replies to this topic

#1 mattler

mattler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 02 June 2008 - 01:52 PM

Hey folks,

It looks like I've got the same medley of virii that pencraft was dealing with in his thread. Prior to finding this forum, I attempted to fix the problem using several anti virus/spyware applications. While they found and apparently fixed some problems, the System Window entitled "Critical System Warning!" was not fixed, nor were the balloons that popped up from the system tray.

Here's what the System Window had to say:

Critical System Warning!
Your system is probably infected with the lastest version of Spyware.Cyberlog-X.
Type: Spyware
Infected Length: 266,129 bytes
Risk: High
Affected Systems: Windows 95, 98, 2000, NT, 2000 Server, Windows XP
Behavior: Cyberlog-X is a spyware program that monitors user activity, logs keystrokes, and track Web sites visited.
Symptims: Low Internet connection speed
Low System Performance
Secyrity center alerts
Strange pop up windows
Protection: Click OK to download antispyware software

After reading the replies to pencrafts post, I ran ComboFix and it appeared to fix the obvious problems. Would someone mind looking at my logs to see if there are any processes running in the background? Is there any script that I can drag and drop into ComboFix (or any other solution) that would remove these processes?


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38:13, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F4C92D5-2964-4054-90CD-03D5071F38CE} - C:\WINDOWS\system32\pmnKabbY.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E23136A1-1AC4-4D1B-926F-5D537CFFF359} - C:\WINDOWS\system32\iifgEvwV.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\9244.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212156670046
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifgEvwV - iifgEvwV.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6497 bytes



ComboFix Log:

ComboFix 08-06-01.6 - Owner 2008-06-02 13:10:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1582 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\system32\YbbaKnmp.ini
C:\WINDOWS\system32\YbbaKnmp.ini2
C:\WINDOWS\system32\ykyfvmca.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4
-------\Service_clbdriver
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 12:28 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-02 12:27 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-02 12:27 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-02 12:27 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-02 12:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-02 12:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-02 12:27 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-02 12:27 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-02 04:13 . 2008-06-02 04:13 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-02 02:51 . 2008-06-02 02:51 <DIR> d-------- C:\Program Files\Avira
2008-06-02 02:51 . 2008-06-02 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-02 02:45 . 2008-06-02 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-02 02:45 . 2008-06-02 02:06 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-02 02:06 . 2008-06-02 02:45 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-02 00:57 . 2008-06-02 00:57 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-01 16:20 . 2008-06-01 16:20 96,768 -rahs---- C:\WINDOWS\system32\acctresk.exe
2008-06-01 16:20 . 2008-06-02 13:07 78,378 --a------ C:\WINDOWS\system32\spywarewarning2.mht
2008-06-01 16:20 . 2004-08-10 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-01 15:16 . 2008-06-02 12:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 15:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-01 15:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-01 15:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-01 15:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-01 15:15 . 2008-06-02 12:58 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-01 15:15 . 2008-06-01 15:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-01 14:59 . 2008-06-01 14:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-01 13:00 . 2008-06-02 13:06 5,878 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-01 12:54 . 2008-06-01 12:54 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-01 03:30 . 2008-06-01 12:49 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-06-01 03:18 . 2008-06-01 03:18 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-01 02:35 . 2008-06-01 02:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-01 02:35 . 2008-06-01 02:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-01 02:35 . 2008-06-01 02:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-01 02:32 . 2008-06-02 00:11 2,145,386,496 --a------ C:\WINDOWS\MEMORY.DMP
2008-05-31 18:08 . 2004-08-10 08:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-05-31 18:07 . 2004-08-10 08:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-05-31 18:04 . 2004-08-10 08:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-05-31 18:04 . 2004-08-10 08:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-05-31 18:04 . 2004-08-10 08:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-05-31 18:04 . 2004-08-10 08:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-05-31 18:04 . 2004-08-10 08:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-05-31 18:04 . 2008-05-31 18:04 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-31 18:04 . 2008-05-31 18:04 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-31 18:04 . 2008-05-31 18:04 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-31 18:04 . 2008-05-31 18:04 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-05-31 18:04 . 2008-05-31 18:04 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-31 18:04 . 2008-05-31 18:04 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-31 17:55 . 2008-06-01 16:01 <DIR> d-------- C:\Program Files\MessengerOLD
2008-05-31 17:54 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-31 17:54 . 2004-08-03 23:00 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-31 17:54 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-31 17:54 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-31 17:43 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-31 14:37 . 2008-06-02 12:29 2,192 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 14:36 . 2008-05-31 14:28 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-31 02:21 . 2008-06-01 15:00 <DIR> d-------- C:\Program Files\McAfee
2008-05-31 02:21 . 2008-06-01 13:17 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-31 02:21 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-31 02:21 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-31 02:21 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-31 02:21 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-05-31 02:21 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-31 02:21 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-05-31 02:19 . 2008-06-01 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-30 21:35 . 2008-05-31 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-30 21:33 . 2008-05-31 15:04 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-30 19:55 . 2008-05-30 19:55 242 --a------ C:\WINDOWS\wininit.ini
2008-05-30 19:22 . 2008-05-30 19:22 15,360 --a------ C:\WINDOWS\rundll32.vbe
2008-05-30 18:34 . 2008-06-01 14:32 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-30 18:34 . 2008-06-01 16:03 <DIR> d-------- C:\Temp
2008-05-30 18:34 . 2008-05-30 18:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ESET
2008-05-30 18:33 . 2008-05-30 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-30 18:33 . 2008-05-30 18:33 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-30 18:23 . 2008-05-30 18:23 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Musepack Codec.bmp
2008-05-30 18:23 . 2008-05-30 18:23 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2008-05-30 18:23 . 2008-05-30 18:22 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-05-30 18:23 . 2008-05-30 18:23 3,576 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2008-05-30 18:23 . 2008-05-30 18:23 3,272 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Musepack Codec.dat
2008-05-30 18:23 . 2008-05-30 18:23 2,883 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-05-30 18:22 . 2008-05-30 18:22 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2008-05-30 18:22 . 2008-05-30 18:22 3,096 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-05-30 18:20 . 2008-05-30 18:20 <DIR> d-------- C:\Program Files\dBpoweramp
2008-05-30 18:20 . 2008-05-30 18:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AccurateRip
2008-05-30 18:20 . 2008-05-30 18:21 593,272 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-05-30 18:20 . 2008-05-30 18:19 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-05-30 18:20 . 2008-05-30 18:20 12,885 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-05-30 18:19 . 2008-05-30 18:19 <DIR> d-------- C:\Program Files\foobar2000
2008-05-30 18:13 . 2008-05-30 18:13 <DIR> d-------- C:\Program Files\iPod
2008-05-30 18:13 . 2008-05-30 18:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-30 18:13 . 2008-06-02 13:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-30 18:13 . 2008-05-30 18:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-30 18:12 . 2008-05-30 18:12 <DIR> d-------- C:\Program Files\QuickTime
2008-05-30 18:12 . 2008-05-30 18:13 <DIR> d-------- C:\Program Files\iTunes
2008-05-30 18:12 . 2008-05-30 18:12 <DIR> d-------- C:\Program Files\Bonjour
2008-05-30 18:12 . 2008-05-30 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-30 18:11 . 2008-05-30 18:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-30 18:11 . 2008-05-30 18:11 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-30 18:11 . 2008-05-30 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 17:43 . 2008-05-30 17:43 <DIR> d-------- C:\Program Files\Synaptics
2008-05-30 17:43 . 2006-03-03 12:52 192,672 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-05-30 17:43 . 2006-03-03 12:55 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-05-30 17:43 . 2006-03-03 12:55 94,298 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-05-30 17:43 . 2006-03-03 12:55 82,013 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-05-30 17:43 . 2006-03-03 13:10 81,920 --a------ C:\WINDOWS\system32\SynTPCo2.dll
2008-05-30 17:43 . 2006-03-03 13:08 69,722 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-05-30 17:39 . 2008-05-30 17:39 <DIR> d-------- C:\Documents and Settings\Owner\Bluetooth Software
2008-05-30 17:34 . 2008-05-30 17:34 <DIR> d-------- C:\Program Files\WIDCOMM
2008-05-30 17:30 . 2008-05-30 17:30 <DIR> d-------- C:\WINDOWS\Options
2008-05-30 17:26 . 2006-03-20 23:23 23,040 --a------ C:\WINDOWS\kb913800.exe
2008-05-30 17:09 . 2008-05-30 17:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 17:09 . 2008-05-30 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 17:07 . 2008-05-30 17:51 <DIR> d-------- C:\Documents and Settings\Owner\Contacts
2008-05-30 16:59 . 2008-05-30 16:59 <DIR> d-------- C:\Program Files\uTorrent
2008-05-30 16:59 . 2008-06-01 16:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-30 16:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-30 16:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-30 16:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-30 16:02 . 2008-05-30 17:05 <DIR> d-------- C:\Program Files\Windows Live
2008-05-30 16:02 . 2008-05-30 17:04 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-30 16:02 . 2008-05-30 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-30 15:45 . 2008-05-30 15:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-30 15:45 . 2008-06-01 02:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 15:45 . 2008-05-30 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 15:11 . 2008-05-30 15:11 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-30 14:53 . 2008-05-30 14:53 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 20:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 19:58 --------- d-----w C:\Program Files\CyberLink
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F4C92D5-2964-4054-90CD-03D5071F38CE}]
C:\WINDOWS\system32\pmnKabbY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
C:\WINDOWS\system32\iifgEvwV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Installer"="C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\9244.exe" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"ZoneTick"="C:\Program Files\ZoneTick\zonetick.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"isCfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 20:00 158208]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 17:01 16010752 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32 618557]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"= C:\WINDOWS\system32\iifgEvwV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgEvwV]
iifgEvwV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-02-12 10:06 262401 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-06-02 02:06]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 22:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-01 16:55:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-06-01 16:55:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-06-02 16:18:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 13:14:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\update\update.exe
.
**************************************************************************
.
Completion time: 2008-06-02 13:18:24 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-02 17:18:17

Pre-Run: 81,661,498,880 bytes free
Post-Run: 81,558,641,664 bytes free

309 --- E O F --- 2008-06-02 17:17:40


I've got quite a few anti-virus apps installed, however I've disabled them all as best as I could. I will be uninstalling all but a couple of them after this is done.

Thanks to anyone who takes a stab at this. It's greatly appreciated!

Cheers,
Matt

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 03 June 2008 - 01:57 PM

Hi,

I've got quite a few anti-virus apps installed, however I've disabled them all as best as I could. I will be uninstalling all but a couple of them after this is done.

You have 3 Antivirus installed!!
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\acctresk.exe
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\system32\hljwugsf.bin
Folder::
C:\WINDOWS\system32\vntiho06
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F4C92D5-2964-4054-90CD-03D5071F38CE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Installer"=-
"ZoneTick"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgEvwV]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\kb913800.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 17 June 2008 - 02:02 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users