Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.unclassified-packed/suspicious


  • This topic is locked This topic is locked
23 replies to this topic

#1 Pete L

Pete L

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 June 2008 - 09:11 AM

I'm really embarrased about this since I'm a programmer in real life. About 2 weeks ago, my home machine started acting funny. The Start button won't start and I'm losing the task bar. It seems that any 'system' activity takes FOREVER. It does work, but only for 2 secounds every 4 minutes or so. I have to do everything from taskmanager and through a DOS command window. I had a terrible time trying to download SuperAntiSpyware because of some Windows installer errors. Finally got it loaded and it found many (20 or so) viruses and 2 vundo trojans. It cleaned it up, reran and was clean. AVG and Spybot found nothing as well.

I'm still having the problem, it's better, but still takes forever to launch or find anything. I ran it through Kaspersky and downloaded DSS and I'm including the logs here. After that, I ran SuperAntiSpyware again and it found just one bot and this:
Trojan.Unclassified-Packed/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP387\A0049321.DLL

I appreciate any help you can give. I'm at a loss as to what to do next. I can only navagate through 'alt-tab' and most cutting/pasting or trying to get explorer ( NOT iexplore, though, weirdly enough ) to do anything is a joke. The weird thing is that most internet sites come up and render just fine. Didn't have an issue at all with Kaspersky and no popups or redirects with Internet Explorer.

First the Kaspersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 27, 2008 22:48:25
Records in database: 892038
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 98950
Threat name: 35
Infected objects: 77
Suspicious objects: 0
Duration of the scan: 02:34:06


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00E274D8.exe Infected: Trojan-Dropper.Win32.Mudrop.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\020C4ECA.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10CD3401.exe Infected: Trojan-Downloader.Win32.Adload.fs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19130BF5.exe Infected: Trojan-Downloader.Win32.Small.dqp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\192F3D4E.exe Infected: Trojan-Downloader.Win32.Adload.xq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19F929EB.exe Infected: Trojan-Downloader.Win32.Adload.fk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A097BD9.dll Infected: not-a-virus:AdWare.Win32.Mostofate.r 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A0C25D6.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A104FD2.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1C175995.exe Infected: not-a-virus:AdWare.Win32.AutoSearch.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CDB3ABF.tmp Infected: not-a-virus:AdWare.Win32.Maxifiles.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CDB3ABF.tmp Infected: Trojan-Dropper.Win32.VB.nb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EBA7DD5.chm Infected: not-a-virus:AdWare.Win32.MediaMotor.p 3
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EC725C6.dll Infected: not-a-virus:AdWare.Win32.Winsta.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F3C0D45.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F460B3A.tmp Infected: not-a-virus:AdWare.Win32.Altnet.m 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F493537.exe Infected: not-a-virus:AdWare.Win32.Altnet.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F565D28.exe Infected: Trojan-Downloader.Win32.TSUpdate.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F5A0725.fr3 Infected: not-a-virus:AdWare.Win32.AdZul.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F5D3121.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\214B43DA.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\238D5561.tmp Infected: not-a-virus:AdWare.Win32.Maxifiles.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\238D5561.tmp Infected: Trojan-Dropper.Win32.VB.nb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26FC739A.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26FC739A.exe Infected: Trojan-Dropper.Win32.VB.nb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2AFA56BF.wma Infected: Trojan-Downloader.WMA.Wimad.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\38E900F7.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BF1101E.exe Infected: Trojan-Clicker.Win32.VB.ly 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3EF43855.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3F252E1F.exe Infected: Trojan-Downloader.Win32.PurityScan.fx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53A91D49.exe Infected: Trojan-Dropper.Win32.Agent.aie 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53E318C1.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54173887.exe Infected: Trojan-Downloader.Win32.VB.apu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\541E147D.wma Infected: Trojan-Downloader.WMA.Wimad.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\548A6E51.exe Infected: Trojan-Clicker.Win32.VB.ly 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\548D184E.exe Infected: Trojan-Downloader.Win32.Adload.fk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\672668FE.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\672668FE.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\673310F0.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\673310F0.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\681461F8.tmp Infected: not-a-virus:AdWare.Win32.Maxifiles.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\681461F8.tmp Infected: Trojan-Dropper.Win32.VB.nb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\69F314B9.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F856656.exe Infected: not-a-virus:AdWare.Win32.Mostofate.r 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\705154E6.exe Infected: Trojan-Clicker.Win32.VB.pg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71347EC9.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75A61887.exe Infected: Trojan.Win32.VB.tg 3
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\766020AB.ocx Infected: Trojan-Downloader.Win32.VB.bo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7663539A.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7820344F.chm Infected: not-a-virus:AdWare.Win32.MediaMotor.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7820344F.chm Infected: not-a-virus:Downloader.Win32.WinFixer.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79F3284D.wma Infected: Trojan-Downloader.WMA.Wimad.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79F65249.wma Infected: Trojan-Downloader.WMA.Wimad.d 1
C:\Documents and Settings\Pete\My Documents\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Pete\My Documents\SmitfraudFix\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Pete\My Documents\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Pete\My Documents\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2
C:\Documents and Settings\Pete\My Documents\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\fix\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\ultravnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\ultravnc\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Program Files\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0044889.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0044891.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0044892.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\temp\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\temp\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
D:\Programs\ultravnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
D:\Programs\ultravnc\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
D:\Programs\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

The selected area was scanned.

Now the DSS log:

Deckard's System Scanner v20071014.68
Run by Pete on 2008-06-27 22:48:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Pete.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-27 22:55:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\SYSTEM32\ntvdm.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\SYSTEM32\cmd.exe
D:\dss.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {AA1AD58C-6FA0-4105-90E8-D59849A81E61} - C:\WINDOWS\system32\ssqNHyWn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: (no name) - {d4b3636f-88ba-45e0-b92e-21ee6b8d3009} - C:\WINDOWS\system32\DISEGA.dll (file missing)
O2 - BHO: (no name) - {E6433B42-2235-E16C-F44B-294E19223097} - C:\WINDOWS\system32\boahcovo\vwoctgtn.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\SYSTEM32\cmd.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - \Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - \Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\nwprovau.dll
O15 - Trusted Zone: https://www.gay-torrents.net (HKCU)
O15 - Trusted IP Range: https://62.212.84.217 (HKCU)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/d/4...0367/wmavax.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} () - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/i263_32.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789756515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789743765
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} () - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E...04/clearadj.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\system32\
O20 - Winlogon Notify: DISEGA - C:\WINDOWS\system32\DISEGA.dll (file missing)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\aol\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\aol\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Unknown owner - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: sfbskmiwdapbexy - Unknown owner - C:\WINDOWS\system32\wdapbexy\sfbskmi.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WQXBCAYNJ - Unknown owner - C:\DOCUME~1\Pete\LOCALS~1\Temp\WQXBCAYNJ.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe -k netsvcs


--
End of file - 15136 bytes

-- HijackThis Fixed Entries (C:\FIX\HIJACK\backups\) ---------------------------

backup-20080627-004926-303 O11 - Options group: [INTERNATIONAL] International*
backup-20080627-004926-422 O2 - BHO: (no name) - AutorunsDisabled - (no file)
backup-20080627-004926-791 O2 - BHO: (no name) - {50D59529-B348-4918-BDAE-2D651EF182A2} - C:\WINDOWS\system32\cdrt.dll (file missing)
backup-20080627-004927-108 O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20080627-004927-279 O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20080627-004927-504 O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
backup-20080627-004927-780 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://dl.boston.runaware.com/wficat.cab
backup-20080627-004927-835 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20080627-004927-841 O15 - Trusted Zone: *.adsextend.net (HKLM)
backup-20080627-004928-436 O20 - Winlogon Notify: opnomjif - opnomjif.dll (file missing)
backup-20080627-004928-692 O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 0911A - c:\windows\system32\0911a.sys (file missing)
3 105E - c:\windows\system32\105e.sys (file missing)
3 1b39 - c:\windows\system32\1b39.sys (file missing)
3 2d416 - c:\windows\system32\2d416.sys (file missing)
3 574A - c:\windows\system32\574a.sys (file missing)
3 57614 - c:\windows\system32\57614.sys (file missing)
3 6b219 - c:\windows\system32\6b219.sys (file missing)
3 726D - c:\windows\system32\726d.sys (file missing)
3 7488 - c:\windows\system32\7488.sys (file missing)
3 c0b6 - c:\windows\system32\c0b6.sys (file missing)
3 cb711 - c:\windows\system32\cb711.sys (file missing)
3 cb9C - c:\windows\system32\cb9c.sys (file missing)
3 d175 - c:\windows\system32\d175.sys (file missing)
3 d7c15 - c:\windows\system32\d7c15.sys (file missing)
3 e0810 - c:\windows\system32\e0810.sys (file missing)
3 eac18 - c:\windows\system32\eac18.sys (file missing)
3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)
3 fa812 - c:\windows\system32\fa812.sys (file missing)
3 fea4 - c:\windows\system32\fea4.sys (file missing)
3 iAimTV2 - system32\drivers\watv03nt.sys (file missing)
3 MMRTKRNL - c:\windows\system32\drivers\mmrtkrnl.sys <Not Verified; ALCATech GmbH; ALCATech Realtime Audio Kernel>
1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
3 VIAudio (Vinyl AC'97 Audio Controller (WDM)) - system32\drivers\vinyl97.sys (file missing)
2 windev-3042-3ef4 - c:\windows\system32\windev-3042-3ef4.sys (file missing)
3 yyflbac - c:\windows\system32\dywi\yyflbac.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 CAISafe - c:\program files\yahoo!\antivirus\isafe.exe (file missing)
3 NSCService (Norton Protection Center Service) - c:\program files\common files\symantec shared\security console\nscsrvce.exe
4 RioMSC (Rio MSC Manager) - c:\windows\system32\riomsc.exe (file missing)
4 sfbskmiwdapbexy - c:\windows\system32\wdapbexy\sfbskmi.exe (file missing)
4 sprtsvc_ddoctorv2 (SupportSoft Sprocket Service (ddoctorv2)) - c:\program files\comcast\desktop doctor\bin\sprtsvc.exe
4 VETMSGNT (VET Message Service) - c:\program files\yahoo!\antivirus\vetmsg.exe (file missing)
3 WQXBCAYNJ - c:\docume~1\pete\locals~1\temp\wqxbcaynj.exe (file missing)
2 wscsvc (Security Center) - c:\windows\c:\windows\system32\svchost.exe -k netsvcs (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-27 22:46:19 410 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-06-15 01:21:18 338 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-06-01 01:00:45 330 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2308-12-22 07:43:41 3120 --a----c- C:\WINDOWS\system32\msvssrt.dll
2008-06-27 17:40:08 0 dr-h----- C:\Documents and Settings\Pete\Recent
2008-06-26 17:51:14 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48:41 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-26 07:48:41 0 d-------- C:\Documents and Settings\Pete\Application Data\SUPERAntiSpyware.com
2008-06-24 21:54:26 528 --a------ C:\CFCleanUp.bat
2008-06-24 20:34:27 0 d-------- C:\fsaua.data
2008-06-23 22:11:35 0 d-------- C:\Program Files\CCleaner
2008-06-18 18:01:39 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 18:01:38 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 18:01:38 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 18:01:37 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 18:01:37 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 18:01:37 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 18:01:36 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-11 07:16:59 0 d-------- C:\Program Files\ultravnc
2008-06-04 13:00:28 28 --a------ C:\WINDOWS\system32\'
2008-06-04 12:59:58 5760 --a------ C:\WINDOWS\system32\vnchelp.dll <Not Verified; RDV Soft; UltraVnc Kernel>


-- Find3M Report ---------------------------------------------------------------

2008-06-27 22:42:02 0 d-------- C:\Program Files\McAfee
2008-06-27 22:42:01 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-26 22:20:34 0 d-------- C:\Documents and Settings\Pete\Application Data\AVG7
2008-06-24 13:15:01 0 d-------- C:\Program Files\FLV Player
2008-06-24 13:14:58 0 d-------- C:\Program Files\AOL 9.0
2008-06-23 21:58:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 18:19:30 1616 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 17:57:46 0 d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-13 05:19:24 0 d-------- C:\Program Files\NoAdware5.0
2008-05-19 00:30:46 0 d-------- C:\Program Files\DivX
2008-05-19 00:20:46 0 d-------- C:\Program Files\QuickTime
2008-05-19 00:15:58 0 d-------- C:\Program Files\Apple Software Update
2008-05-12 21:53:16 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 21:50:16 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-12 21:50:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-12 21:50:08 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-12 21:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-12 21:50:08 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-05-12 21:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-12 21:50:06 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-12 21:49:02 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-09 23:58:38 0 d-------- C:\Documents and Settings\Pete\Application Data\AOL
2008-05-09 23:57:26 0 d-------- C:\Program Files\Common Files\aolshare
2008-05-09 23:56:52 0 d-------- C:\Program Files\AOL
2008-05-09 23:56:45 0 d-------- C:\Program Files\Common Files\aol
2008-05-03 19:23:32 0 d---s---- C:\Documents and Settings\Pete\Application Data\Microsoft
2008-05-03 17:37:37 430766 --ahs---- C:\WINDOWS\system32\nWyHNqss.ini2
2008-05-03 10:13:39 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-03 10:13:34 0 d-------- C:\Program Files\Symantec
2008-05-03 10:12:55 0 d-a------ C:\Program Files\Common Files
2008-05-01 10:54:20 0 d-------- C:\Documents and Settings\Pete\Application Data\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1AD58C-6FA0-4105-90E8-D59849A81E61}]
C:\WINDOWS\system32\ssqNHyWn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4b3636f-88ba-45e0-b92e-21ee6b8d3009}]
C:\WINDOWS\system32\DISEGA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6433B42-2235-E16C-F44B-294E19223097}]
C:\WINDOWS\system32\boahcovo\vwoctgtn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/21/2007 07:22 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/01/2005 05:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar2"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\Pete\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 7:50:52 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\system32\rpcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DISEGA]
DISEGA.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqNHyWn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pete^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Pete\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d47b9155]
rundll32.exe "C:\WINDOWS\system32\ahdvrlaf.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fkfibuby]
C:\WINDOWS\system32\cvkzqpwv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1150858940\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"sfbskmiwdapbexy"=3 (0x3)
"SENS"=2 (0x2)
"VETMSGNT"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"RioMSC"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BITS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"wscsvc"=2 (0x2)
"comHost"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-06-27 23:08:10 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:30 PM

Posted 28 June 2008 - 12:10 PM

Hello Pete L,

Welcome to Bleeping Computer :thumbsup:

Your system has been compromised. If you don't reformat and reinstall, which is your safest and surest course, then it is extremely important to change your passwords and such after it's clean. Your passwords are all known. Don't do it now, or they'll just get stolen again. Keep an eye on any sensitive accounts you might have for nefarious activity.

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :) After ComboFix has completed you can reenable them all, then come back online to post the reports. Thanks!

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 June 2008 - 03:47 PM

First the hijack log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:44 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\FIX\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {AA1AD58C-6FA0-4105-90E8-D59849A81E61} - C:\WINDOWS\system32\ssqNHyWn.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {d4b3636f-88ba-45e0-b92e-21ee6b8d3009} - C:\WINDOWS\system32\DISEGA.dll (file missing)
O2 - BHO: (no name) - {E6433B42-2235-E16C-F44B-294E19223097} - C:\WINDOWS\system32\boahcovo\vwoctgtn.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [PowerBar2] (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789756515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789743765
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: DISEGA - DISEGA.dll (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WQXBCAYNJ - Unknown owner - C:\DOCUME~1\Pete\LOCALS~1\Temp\WQXBCAYNJ.exe (file missing)

--
End of file - 10774 bytes

#4 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 June 2008 - 03:50 PM

and the combo fix:
ComboFix 08-06-20.4 - Pete 2008-06-28 14:54:39.1 - NTFSx86
Running from: C:\FIX\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Dxc.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aadnjtfu.ini
C:\WINDOWS\system32\antcvtua.ini
C:\WINDOWS\SYSTEM32\dtcsvhgr.ini
C:\WINDOWS\system32\falrvdha.ini
C:\WINDOWS\system32\fujqykay.ini
C:\WINDOWS\system32\idvhtlxl.ini
C:\WINDOWS\system32\itjtytyl.ini
C:\WINDOWS\system32\iuchxwbc.ini
C:\WINDOWS\system32\jmbnbfsi.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nWyHNqss.ini
C:\WINDOWS\SYSTEM32\nWyHNqss.ini2
C:\WINDOWS\system32\pjdhshuk.ini
C:\WINDOWS\system32\qwgcevxr.ini
C:\WINDOWS\system32\qxsmwklo.ini
C:\WINDOWS\system32\rmoaccpw.ini
C:\WINDOWS\SYSTEM32\udansocf.ini
C:\WINDOWS\system32\usdgjjba.ini
C:\WINDOWS\SYSTEM32\vennvknh.ini
C:\WINDOWS\system32\wwhsdxaj.ini
C:\WINDOWS\system32\xubfxuxs.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDEV-3042-3EF4
-------\Service_windev-3042-3ef4


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2308-12-22 07:43 . 2308-12-22 07:43 3,120 --a--c--- C:\WINDOWS\SYSTEM32\msvssrt.dll
2008-06-28 11:01 . 2008-06-28 11:02 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-06-27 22:48 . 2008-06-27 22:48 <DIR> d-------- C:\Deckard
2008-06-26 23:57 . 2008-06-26 23:57 128,352 --a------ C:\WINDOWS\SYSTEM32\6b433.dll
2008-06-26 17:51 . 2008-06-26 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\SUPERAntiSpyware.com
2008-06-24 21:54 . 2007-06-02 02:59 528 --a------ C:\CFCleanUp.bat
2008-06-24 20:34 . 2008-06-24 20:34 <DIR> d-------- C:\fsaua.data
2008-06-23 22:11 . 2008-06-23 22:11 <DIR> d-------- C:\Program Files\CCleaner
2008-06-23 22:01 . 2008-06-23 14:11 6,467,096 --a------ C:\temp\SUPERAntiSpyware.exe
2008-06-23 20:11 . 2008-06-23 20:11 173,456 --a------ C:\temp\FixVundo.exe
2008-06-18 18:01 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-18 18:01 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-18 18:01 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-18 18:01 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-18 18:01 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-18 18:01 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-18 18:01 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-11 07:16 . 2008-06-11 07:17 <DIR> d-------- C:\Program Files\ultravnc
2008-06-04 13:00 . 2004-06-26 13:22 6,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vnccom.SYS
2008-06-04 13:00 . 2008-06-10 07:36 28 --a------ C:\WINDOWS\SYSTEM32\'
2008-06-04 12:59 . 2005-06-10 22:02 12,800 --a------ C:\WINDOWS\SYSTEM32\vncdrv.dll
2008-06-04 12:59 . 2004-06-26 13:21 5,760 --a------ C:\WINDOWS\SYSTEM32\vnchelp.dll
2008-06-04 12:59 . 2004-06-26 13:22 4,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vncdrv.sys
2008-05-29 20:13 . 2008-06-28 11:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 20:13 . 2008-05-29 20:13 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 02:42 --------- d-----w C:\Program Files\McAfee
2008-06-28 02:42 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-28 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-27 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-27 02:20 --------- d-----w C:\DOCUME~1\Pete\Application Data\AVG7
2008-06-27 02:20 --------- d-----w C:\DOCUME~1\Pete\Application Data\AVG7
2008-06-24 17:15 --------- d-----w C:\Program Files\FLV Player
2008-06-24 17:14 --------- d-----w C:\Program Files\AOL 9.0
2008-06-24 01:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 21:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 09:19 --------- d-----w C:\Program Files\NoAdware5.0
2008-05-19 04:30 --------- d-----w C:\Program Files\DivX
2008-05-19 04:20 --------- d-----w C:\Program Files\QuickTime
2008-05-19 04:15 --------- d-----w C:\Program Files\Apple Software Update
2008-05-19 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 03:58 --------- d-----w C:\DOCUME~1\Pete\Application Data\AOL
2008-05-10 03:58 --------- d-----w C:\DOCUME~1\Pete\Application Data\AOL
2008-05-10 03:57 --------- d-----w C:\Program Files\Common Files\aolshare
2008-05-10 03:56 --------- d-----w C:\Program Files\Common Files\aol
2008-05-10 03:56 --------- d-----w C:\Program Files\AOL
2008-05-10 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-10 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-03 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-03 23:26 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-03 23:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-03 14:13 --------- d-----w C:\Program Files\Symantec
2008-05-03 14:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 14:12 --------- d---a-w C:\Program Files\Common Files
2008-05-01 14:54 --------- d-----w C:\DOCUME~1\Pete\Application Data\Symantec
2008-05-01 14:54 --------- d-----w C:\DOCUME~1\Pete\Application Data\Symantec
2006-08-07 22:06 299 -c--a-w C:\DOCUME~1\Pete\Application Data\internaldb1942.dat
2006-08-07 22:06 299 -c--a-w C:\DOCUME~1\Pete\Application Data\internaldb1942.dat
2005-12-21 01:55 3,596 -c--a-w C:\DOCUME~1\Pete\Application Data\ViewerApp.dat
2005-12-21 01:55 3,596 -c--a-w C:\DOCUME~1\Pete\Application Data\ViewerApp.dat
2005-04-06 01:43 61,912 -c--a-w C:\DOCUME~1\Pete\Application Data\GDIPFONTCACHEV1.DAT
2005-04-06 01:43 61,912 -c--a-w C:\DOCUME~1\Pete\Application Data\GDIPFONTCACHEV1.DAT
2004-12-19 00:59 2,636,408 ------w C:\Documents and Settings\Pete\aawsepersonal.exe
2004-10-01 19:00 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
2003-07-12 01:04 46,592 ----a-w C:\Documents and Settings\Pete\KeyGen.exe
2003-05-30 15:06 1,155,072 ----a-w C:\Documents and Settings\Pete\Setup.exe
2002-09-13 03:15 32,768 ----a-w C:\Documents and Settings\Pete\ACID KEY CRACK 4.0.exe
2002-08-28 18:53 27,863,562 ----a-w C:\Documents and Settings\Pete\Acid Pro 4.0.exe..exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1AD58C-6FA0-4105-90E8-D59849A81E61}]
C:\WINDOWS\system32\ssqNHyWn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4b3636f-88ba-45e0-b92e-21ee6b8d3009}]
C:\WINDOWS\system32\DISEGA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6433B42-2235-E16C-F44B-294E19223097}]
C:\WINDOWS\system32\boahcovo\vwoctgtn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar2"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-06-02 16:13 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 19:22 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 17:16 5562368]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 18:38 54472]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-03 19:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\system32\rpcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DISEGA]
DISEGA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pete^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Pete\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-05-03 19:26 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--------- 2005-10-16 02:46 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d47b9155]
C:\WINDOWS\system32\ahdvrlaf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fkfibuby]
C:\WINDOWS\system32\cvkzqpwv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-04-12 17:23 42032 C:\Program Files\Common Files\AOL\1150858940\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-07-12 05:58 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 17:16 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2007-03-07 11:58 1773568 C:\Program Files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-21 19:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 15:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"sfbskmiwdapbexy"=3 (0x3)
"SENS"=2 (0x2)
"VETMSGNT"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"RioMSC"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BITS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"wscsvc"=2 (0x2)
"comHost"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)


.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 05:21:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-01 05:00:45 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-28 19:14:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 15:09:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\SYSTEM32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-06-28 15:16:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 19:16:19
ComboFix2.txt 2008-06-25 02:21:28

Pre-Run: 14,015,184,896 bytes free
Post-Run: 14,191,976,448 bytes free

287 --- E O F --- 2008-04-20 03:45:33

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:30 PM

Posted 28 June 2008 - 04:29 PM

Hello,

Lots to do this time, and I see how you got infected. :thumbsup:

First you should know that you're actually doing more harm than good by running 2, actually 3, Anti Virus programs. (AVG, Norton, and McAfee) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other ones, and use it as an on demand only scan occasionally.

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O20 - Winlogon Notify: DISEGA - DISEGA.dll (file missing)
O23 - Service: WQXBCAYNJ - Unknown owner - C:\DOCUME~1\Pete\LOCALS~1\Temp\WQXBCAYNJ.exe (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\ssqNHyWn.dll
C:\WINDOWS\system32\DISEGA.dll
C:\WINDOWS\system32\boahcovo\vwoctgtn.dll
C:\WINDOWS\system32\ahdvrlaf.dll
C:\WINDOWS\system32\cvkzqpwv.exe

Folder::
C:\Program Files\antiviirus.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1AD58C-6FA0-4105-90E8-D59849A81E61}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4b3636f-88ba-45e0-b92e-21ee6b8d3009}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6433B42-2235-E16C-F44B-294E19223097}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DISEGA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d47b9155]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fkfibuby]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 01 July 2008 - 10:04 PM

Still having the same problem. Losing the task bar and "systemy" type stuff takes forever! Hijack this won't run normally because it gets to the 'notepad' part and hangs. Then says that a process needs to complete and "Switch to"/"Retry". This is getting anoying. It does look like the combofix script did run becuase I'm not seeing the entries in the registry nor the directories listed. There must be something else going on, still.
ComboFix:
ComboFix 08-06-20.4 - Pete 2008-06-29 14:45:51.3 - NTFSx86
Running from: C:\FIX\ComboFix.exe
Command switches used :: cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2308-12-22 07:43 . 2308-12-22 07:43 3,120 --a--c--- C:\WINDOWS\SYSTEM32\msvssrt.dll
2008-06-29 00:38 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-28 19:25 . 2008-06-28 19:25 262,144 --a------ C:\Documents and Settings\trendy
2008-06-28 11:01 . 2008-06-28 11:02 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-06-27 22:48 . 2008-06-27 22:48 <DIR> d-------- C:\Deckard
2008-06-26 23:57 . 2008-06-26 23:57 128,352 --a------ C:\WINDOWS\SYSTEM32\6b433.dll
2008-06-26 17:51 . 2008-06-26 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\PROGRA~1\SUPERAntiSpyware
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\SUPERAntiSpyware.com
2008-06-24 21:54 . 2007-06-02 02:59 528 --a------ C:\CFCleanUp.bat
2008-06-24 20:34 . 2008-06-24 20:34 <DIR> d-------- C:\fsaua.data
2008-06-23 22:11 . 2008-06-23 22:11 <DIR> d-------- C:\PROGRA~1\CCleaner
2008-06-23 22:01 . 2008-06-23 14:11 6,467,096 --a------ C:\temp\SUPERAntiSpyware.exe
2008-06-23 20:11 . 2008-06-23 20:11 173,456 --a------ C:\temp\FixVundo.exe
2008-06-18 18:01 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-18 18:01 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-18 18:01 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-18 18:01 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-18 18:01 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-18 18:01 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-18 18:01 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-11 07:16 . 2008-06-11 07:17 <DIR> d-------- C:\PROGRA~1\ultravnc
2008-06-04 13:00 . 2004-06-26 13:22 6,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vnccom.SYS
2008-06-04 13:00 . 2008-06-10 07:36 28 --a------ C:\WINDOWS\SYSTEM32\'
2008-06-04 12:59 . 2005-06-10 22:02 12,800 --a------ C:\WINDOWS\SYSTEM32\vncdrv.dll
2008-06-04 12:59 . 2004-06-26 13:21 5,760 --a------ C:\WINDOWS\SYSTEM32\vnchelp.dll
2008-06-04 12:59 . 2004-06-26 13:22 4,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vncdrv.sys
2008-05-29 20:13 . 2008-06-28 11:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 20:13 . 2008-05-29 20:13 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 04:38 --------- d-----w C:\PROGRA~1\Java
2008-06-29 04:12 --------- d---a-w C:\PROGRA~1\Common Files
2008-06-29 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-27 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 17:15 --------- d-----w C:\PROGRA~1\FLV Player
2008-06-24 17:14 --------- d-----w C:\PROGRA~1\AOL 9.0
2008-06-24 01:58 --------- d-----w C:\PROGRA~1\COMMON~1\Wise Installation Wizard
2008-06-18 22:19 1,616 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-18 21:57 --------- d-----w C:\PROGRA~1\Spybot - Search & Destroy
2008-06-13 09:19 --------- d-----w C:\PROGRA~1\NoAdware5.0
2008-05-19 04:30 --------- d-----w C:\PROGRA~1\DivX
2008-05-19 04:20 --------- d-----w C:\PROGRA~1\QuickTime
2008-05-19 04:15 --------- d-----w C:\PROGRA~1\Apple Software Update
2008-05-19 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-05-13 01:53 3,596,288 -c--a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-05-13 01:51 200,704 -c--a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-05-13 01:51 1,044,480 -c--a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 -c--a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-05-10 03:58 --------- d-----w C:\DOCUME~1\Pete\Application Data\AOL
2008-05-10 03:57 --------- d-----w C:\PROGRA~1\COMMON~1\aolshare
2008-05-10 03:56 --------- d-----w C:\PROGRA~1\COMMON~1\aol
2008-05-10 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-10 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-03 14:13 --------- d-----w C:\PROGRA~1\Symantec
2008-05-03 14:13 --------- d-----w C:\PROGRA~1\COMMON~1\Symantec Shared
2008-05-01 14:54 --------- d-----w C:\DOCUME~1\Pete\Application Data\Symantec
2006-08-07 22:06 299 -c--a-w C:\DOCUME~1\Pete\Application Data\internaldb1942.dat
2005-12-21 01:55 3,596 -c--a-w C:\DOCUME~1\Pete\Application Data\ViewerApp.dat
2005-04-06 01:43 61,912 -c--a-w C:\DOCUME~1\Pete\Application Data\GDIPFONTCACHEV1.DAT
2004-12-19 00:59 2,636,408 ------w C:\Documents and Settings\Pete\aawsepersonal.exe
2004-10-01 19:00 40,960 -c--a-w C:\PROGRA~1\Uninstall_CDS.exe
2003-07-12 01:04 46,592 ----a-w C:\Documents and Settings\Pete\KeyGen.exe
2003-05-30 15:06 1,155,072 ----a-w C:\Documents and Settings\Pete\Setup.exe
2002-09-13 03:15 32,768 ----a-w C:\Documents and Settings\Pete\ACID KEY CRACK 4.0.exe
2002-08-28 18:53 27,863,562 ----a-w C:\Documents and Settings\Pete\Acid Pro 4.0.exe..exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_15.15.59.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 19:08:27 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-29 18:29:34 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-29 18:31:03 5,138 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{5B34EC76-9766-40FE-BB19-F24D5F9F679C}.bin
- 2008-06-28 11:50:51 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-06-29 02:29:08 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-06-28 11:50:51 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-06-29 02:29:08 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-06-28 11:50:51 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-29 02:29:08 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-10 16:27:06 49,248 -c--a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2005-11-10 16:27:16 49,250 -c--a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2005-11-10 18:03:54 127,078 -c--a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2008-06-28 18:18:19 53,552 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-06-29 18:33:52 53,552 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-06-28 18:18:19 382,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-06-29 18:33:52 382,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-06-29 18:48:54 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar2"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-06-02 16:13 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 19:22 185896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 17:16 5562368]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 18:38 54472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\system32\rpcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pete^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Pete\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--------- 2005-10-16 02:46 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-04-12 17:23 42032 C:\Program Files\Common Files\AOL\1150858940\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-07-12 05:58 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 17:16 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2007-03-07 11:58 1773568 C:\Program Files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-21 19:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 15:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"sfbskmiwdapbexy"=3 (0x3)
"SENS"=2 (0x2)
"VETMSGNT"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"RioMSC"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BITS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"wscsvc"=2 (0x2)
"comHost"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)


.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 18:36:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 14:48:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-06-29 14:53:09
ComboFix-quarantined-files.txt 2008-06-29 18:52:41
ComboFix2.txt 2008-06-29 18:13:19
ComboFix3.txt 2008-06-28 19:16:24
ComboFix4.txt 2008-06-25 02:21:28

Pre-Run: 14,296,203,264 bytes free
Post-Run: 14,276,968,448 bytes free

242 --- E O F --- 2008-04-20 03:45:33

AND NOW HIJACK:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:58 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cmd.exe
C:\FIX\HiJackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\TASKMAN.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [PowerBar2] (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789756515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789743765
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9421 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:30 PM

Posted 03 July 2008 - 11:44 AM

Hello,

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 05 July 2008 - 11:39 AM

Mbam log had 6 or so removals:
Malwarebytes' Anti-Malware 1.19
Database version: 922
Windows 5.1.2600 Service Pack 2

11:57:17 AM 7/5/2008
mbam-log-7-5-2008 (11-57-17).txt

Scan type: Quick Scan
Objects scanned: 45113
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Hijack this now says:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:43 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cmd.exe
C:\FIX\HiJackThis.exe
C:\WINDOWS\system32\TASKMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [PowerBar2] (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789756515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789743765
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9229 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:30 PM

Posted 05 July 2008 - 12:31 PM

Hello,

You keeping the cracks and keygens? :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\SYSTEM32\'


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 July 2008 - 07:42 PM

First combofix:
ComboFix 08-07-05.1 - Pete 2008-07-06 20:33:51.4 - NTFSx86
Running from: C:\FIX\ComboFix.exe
Command switches used :: cfs.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2308-12-22 07:43 . 2308-12-22 07:43 3,120 --a--c--- C:\WINDOWS\SYSTEM32\msvssrt.dll
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\PROGRA~1\fix
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\Malwarebytes
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\Malwarebytes
2008-07-05 10:42 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-05 10:42 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-29 00:38 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-28 19:25 . 2008-06-28 19:25 262,144 --a------ C:\Documents and Settings\trendy
2008-06-28 11:01 . 2008-06-28 11:02 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-06-27 22:48 . 2008-06-27 22:48 <DIR> d-------- C:\Deckard
2008-06-26 23:57 . 2008-06-26 23:57 128,352 --a------ C:\WINDOWS\SYSTEM32\6b433.dll
2008-06-26 17:51 . 2008-06-26 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\PROGRA~1\SUPERAntiSpyware
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\SUPERAntiSpyware.com
2008-06-24 21:54 . 2007-06-02 02:59 528 --a------ C:\CFCleanUp.bat
2008-06-24 20:34 . 2008-06-24 20:34 <DIR> d-------- C:\fsaua.data
2008-06-23 22:11 . 2008-06-23 22:11 <DIR> d-------- C:\PROGRA~1\CCleaner
2008-06-23 22:01 . 2008-06-23 14:11 6,467,096 --a------ C:\temp\SUPERAntiSpyware.exe
2008-06-23 20:11 . 2008-06-23 20:11 173,456 --a------ C:\temp\FixVundo.exe
2008-06-18 18:01 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-18 18:01 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-18 18:01 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-18 18:01 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-18 18:01 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-18 18:01 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-18 18:01 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-11 07:16 . 2008-06-11 07:17 <DIR> d-------- C:\PROGRA~1\ultravnc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 04:38 --------- d-----w C:\PROGRA~1\Java
2008-06-29 04:12 --------- d---a-w C:\PROGRA~1\Common Files
2008-06-29 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-27 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 17:15 --------- d-----w C:\PROGRA~1\FLV Player
2008-06-24 17:14 --------- d-----w C:\PROGRA~1\AOL 9.0
2008-06-24 01:58 --------- d-----w C:\PROGRA~1\COMMON~1\Wise Installation Wizard
2008-06-18 22:19 1,616 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-18 21:57 --------- d-----w C:\PROGRA~1\Spybot - Search & Destroy
2008-06-13 09:19 --------- d-----w C:\PROGRA~1\NoAdware5.0
2008-05-19 04:30 --------- d-----w C:\PROGRA~1\DivX
2008-05-19 04:20 --------- d-----w C:\PROGRA~1\QuickTime
2008-05-19 04:15 --------- d-----w C:\PROGRA~1\Apple Software Update
2008-05-19 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-05-13 01:53 3,596,288 -c--a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-05-13 01:51 200,704 -c--a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-05-13 01:51 1,044,480 -c--a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 -c--a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-05-10 03:58 --------- d-----w C:\DOCUME~1\Pete\Application Data\AOL
2008-05-10 03:58 --------- d-----w C:\DOCUME~1\Pete\Application Data\AOL
2008-05-10 03:57 --------- d-----w C:\PROGRA~1\COMMON~1\aolshare
2008-05-10 03:56 --------- d-----w C:\PROGRA~1\COMMON~1\aol
2008-05-10 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-10 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2006-08-07 22:06 299 -c--a-w C:\DOCUME~1\Pete\Application Data\internaldb1942.dat
2006-08-07 22:06 299 -c--a-w C:\DOCUME~1\Pete\Application Data\internaldb1942.dat
2005-12-21 01:55 3,596 -c--a-w C:\DOCUME~1\Pete\Application Data\ViewerApp.dat
2005-12-21 01:55 3,596 -c--a-w C:\DOCUME~1\Pete\Application Data\ViewerApp.dat
2005-04-06 01:43 61,912 -c--a-w C:\DOCUME~1\Pete\Application Data\GDIPFONTCACHEV1.DAT
2005-04-06 01:43 61,912 -c--a-w C:\DOCUME~1\Pete\Application Data\GDIPFONTCACHEV1.DAT
2004-12-19 00:59 2,636,408 ------w C:\Documents and Settings\Pete\aawsepersonal.exe
2004-10-01 19:00 40,960 -c--a-w C:\PROGRA~1\Uninstall_CDS.exe
2003-07-12 01:04 46,592 ----a-w C:\Documents and Settings\Pete\KeyGen.exe
2003-05-30 15:06 1,155,072 ----a-w C:\Documents and Settings\Pete\Setup.exe
2002-09-13 03:15 32,768 ----a-w C:\Documents and Settings\Pete\ACID KEY CRACK 4.0.exe
2002-08-28 18:53 27,863,562 ----a-w C:\Documents and Settings\Pete\Acid Pro 4.0.exe..exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_15.15.59.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 19:08:27 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-05 16:16:47 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-06-28 11:50:51 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-06-29 02:29:08 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-06-28 11:50:51 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-06-29 02:29:08 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-06-28 11:50:51 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-29 02:29:08 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-10 16:27:06 49,248 -c--a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2005-11-10 16:27:16 49,250 -c--a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2005-11-10 18:03:54 127,078 -c--a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2008-06-28 18:18:19 53,552 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-07-05 16:21:06 53,552 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-06-28 18:18:19 382,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-05 16:21:06 382,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-07 00:37:14 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-06-02 16:13 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 19:22 185896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 17:16 5562368]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 18:38 54472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pete^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Pete\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\aol\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--------- 2005-10-16 02:46 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-04-12 17:23 42032 C:\Program Files\Common Files\aol\1150858940\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-07-12 05:58 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2007-03-07 11:58 1773568 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-21 19:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 15:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 17:16 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"sfbskmiwdapbexy"=3 (0x3)
"SENS"=2 (0x2)
"VETMSGNT"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"RioMSC"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BITS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"wscsvc"=2 (0x2)
"comHost"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 00:22:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKCU-Run-PowerBar2 - (no file)
Notify-AutorunsDisabled - C:\WINDOWS\system32\rpcc.dll
MSConfigStartUp-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-AVG7_EMC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
MSConfigStartUp-CAVRID - C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
MSConfigStartUp-YSearchProtection - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 20:37:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-06 20:39:42
ComboFix-quarantined-files.txt 2008-07-07 00:39:30
ComboFix2.txt 2008-06-29 18:53:10
ComboFix3.txt 2008-06-29 18:13:19
ComboFix4.txt 2008-06-28 19:16:24
ComboFix5.txt 2008-06-25 02:21:28

Pre-Run: 13,813,940,224 bytes free
Post-Run: 13,937,594,368 bytes free

242 --- E O F --- 2008-04-20 03:45:33

#11 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 July 2008 - 07:53 PM

I have problems running hijack this. Title bar says, "Trend Micro HijackThis - v2.0.2" . It gets to O4 - Registry & Start Menu autoruns" and then hangs with "The action cannot be completed because the other application is busy. Choose 'Switch To' to activate the busy application and correct the problem" . There's only 2 options, Switch To and Retry. If I keep on clicking these to, notepad eventually comes up with the log.

Still can't access system stuff like usual and taskbar STILL disappears. AFAIK, I'm not saving any keygens or cracks. I'm not even sure what those are.
Hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:16 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TASKMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cmd.exe
C:\FIX\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-3072657604-1627166653-4260979949-1009\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=3566b284-e1b4-4225-901b-a466e060be16 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789756515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192789743765
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8804 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:30 PM

Posted 06 July 2008 - 08:24 PM

Hi,

These:

2003-07-12 01:04 46,592 ----a-w C:\Documents and Settings\Pete\KeyGen.exe
2003-05-30 15:06 1,155,072 ----a-w C:\Documents and Settings\Pete\Setup.exe
2002-09-13 03:15 32,768 ----a-w C:\Documents and Settings\Pete\ACID KEY CRACK 4.0.exe
2002-08-28 18:53 27,863,562 ----a-w C:\Documents and Settings\Pete\Acid Pro 4.0.exe..exe


Are you saying you didn't install these, or are you asking specifically what they are?

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
C:\fsaua.data

File::
C:\WINDOWS\SYSTEM32\d3d9caps.dat
C:\WINDOWS\SYSTEM32\6b433.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 07 July 2008 - 09:54 AM

I noticed in 'running processes' "CSRSS" isn't listed. It always shows up in taskman? Could this be one of/the culprit?
Acid was apparently loaded by one of my roomates "friends". I didn't know it was even on the machine. Do you just uninstall or are there registry settings, too?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:30 PM

Posted 07 July 2008 - 10:17 AM

Yes, uninstall it and delete the folder in Program Files, and look in Application Data for one as well. That **should** delete the keygen too, but post a new ComboFix log and we'll see for sure. Do you have your XP disk, or a recovery disk? If so, then you can run System File Checker to be sure all the system files are intact. Let me know in your reply, when you post the fresh ComboFix report. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Pete L

Pete L
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 08 July 2008 - 06:29 AM

ComboFix log:
ComboFix 08-07-05.1 - Pete 2008-07-07 20:03:08.5 - NTFSx86
Running from: C:\FIX\ComboFix.exe
Command switches used :: cfs2.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2308-12-22 07:43 . 2308-12-22 07:43 3,120 --a--c--- C:\WINDOWS\SYSTEM32\msvssrt.dll
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\PROGRA~1\fix
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 10:42 . 2008-07-05 10:42 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\Malwarebytes
2008-07-05 10:42 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-05 10:42 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-29 00:38 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-28 19:25 . 2008-06-28 19:25 262,144 --a------ C:\Documents and Settings\trendy
2008-06-28 11:01 . 2008-06-28 11:02 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-06-27 22:48 . 2008-06-27 22:48 <DIR> d-------- C:\Deckard
2008-06-26 23:57 . 2008-06-26 23:57 128,352 --a------ C:\WINDOWS\SYSTEM32\6b433.dll
2008-06-26 17:51 . 2008-06-26 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\PROGRA~1\SUPERAntiSpyware
2008-06-26 07:48 . 2008-06-26 07:48 <DIR> d-------- C:\DOCUME~1\Pete\Application Data\SUPERAntiSpyware.com
2008-06-24 21:54 . 2007-06-02 02:59 528 --a------ C:\CFCleanUp.bat
2008-06-24 20:34 . 2008-06-24 20:34 <DIR> d-------- C:\fsaua.data
2008-06-23 22:11 . 2008-06-23 22:11 <DIR> d-------- C:\PROGRA~1\CCleaner
2008-06-23 22:01 . 2008-06-23 14:11 6,467,096 --a------ C:\temp\SUPERAntiSpyware.exe
2008-06-23 20:11 . 2008-06-23 20:11 173,456 --a------ C:\temp\FixVundo.exe
2008-06-18 18:01 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-18 18:01 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-18 18:01 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-18 18:01 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-18 18:01 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-18 18:01 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-18 18:01 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-11 07:16 . 2008-06-11 07:17 <DIR> d-------- C:\PROGRA~1\ultravnc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 04:38 --------- d-----w C:\PROGRA~1\Java
2008-06-29 04:12 --------- d---a-w C:\PROGRA~1\Common Files
2008-06-29 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-27 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 17:15 --------- d-----w C:\PROGRA~1\FLV Player
2008-06-24 17:14 --------- d-----w C:\PROGRA~1\AOL 9.0
2008-06-24 01:58 --------- d-----w C:\PROGRA~1\COMMON~1\Wise Installation Wizard
2008-06-18 22:19 1,616 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-18 21:57 --------- d-----w C:\PROGRA~1\Spybot - Search & Destroy
2008-06-13 09:19 --------- d-----w C:\PROGRA~1\NoAdware5.0
2008-05-19 04:30 --------- d-----w C:\PROGRA~1\DivX
2008-05-19 04:20 --------- d-----w C:\PROGRA~1\QuickTime
2008-05-19 04:15 --------- d-----w C:\PROGRA~1\Apple Software Update
2008-05-19 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-05-13 01:53 3,596,288 -c--a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-05-13 01:51 200,704 -c--a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-05-13 01:51 1,044,480 -c--a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 -c--a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-05-10 03:58 --------- d-----w C:\DOCUME~1\Pete\Application Data\AOL
2008-05-10 03:57 --------- d-----w C:\PROGRA~1\COMMON~1\aolshare
2008-05-10 03:56 --------- d-----w C:\PROGRA~1\COMMON~1\aol
2008-05-10 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-10 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2006-08-07 22:06 299 -c--a-w C:\DOCUME~1\Pete\Application Data\internaldb1942.dat
2005-12-21 01:55 3,596 -c--a-w C:\DOCUME~1\Pete\Application Data\ViewerApp.dat
2005-04-06 01:43 61,912 -c--a-w C:\DOCUME~1\Pete\Application Data\GDIPFONTCACHEV1.DAT
2004-12-19 00:59 2,636,408 ------w C:\Documents and Settings\Pete\aawsepersonal.exe
2004-10-01 19:00 40,960 -c--a-w C:\PROGRA~1\Uninstall_CDS.exe
2003-07-12 01:04 46,592 ----a-w C:\Documents and Settings\Pete\KeyGen.exe
2003-05-30 15:06 1,155,072 ----a-w C:\Documents and Settings\Pete\Setup.exe
2002-09-13 03:15 32,768 ----a-w C:\Documents and Settings\Pete\ACID KEY CRACK 4.0.exe
2002-08-28 18:53 27,863,562 ----a-w C:\Documents and Settings\Pete\Acid Pro 4.0.exe..exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_15.15.59.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 19:08:27 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-07 01:10:56 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-06-28 11:50:51 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-06-29 02:29:08 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-06-28 11:50:51 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-06-29 02:29:08 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-06-28 11:50:51 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-29 02:29:08 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-10 16:27:06 49,248 -c--a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2005-11-10 16:27:16 49,250 -c--a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2005-11-10 18:03:54 127,078 -c--a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2008-06-28 18:18:19 53,552 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-07-07 01:15:14 53,552 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-06-28 18:18:19 382,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-07 01:15:14 382,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-08 00:06:37 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-06-02 16:13 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 19:22 185896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 17:16 5562368]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 18:38 54472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pete^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Pete\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\aol\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--------- 2005-10-16 02:46 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-04-12 17:23 42032 C:\Program Files\Common Files\aol\1150858940\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-07-12 05:58 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2007-03-07 11:58 1773568 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-21 19:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 15:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 17:16 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"sfbskmiwdapbexy"=3 (0x3)
"SENS"=2 (0x2)
"VETMSGNT"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"RioMSC"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BITS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"wscsvc"=2 (0x2)
"comHost"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)


.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 22:59:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 20:06:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-07 20:11:14
ComboFix-quarantined-files.txt 2008-07-08 00:10:35
ComboFix2.txt 2008-07-07 00:39:42
ComboFix3.txt 2008-06-29 18:53:10
ComboFix4.txt 2008-06-29 18:13:19
ComboFix5.txt 2008-06-28 19:16:24

Pre-Run: 13,869,285,376 bytes free
Post-Run: 13,900,361,728 bytes free

227 --- E O F --- 2008-04-20 03:45:33




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users