Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispywaremaster Virus?


  • This topic is locked This topic is locked
1 reply to this topic

#1 c3333y

c3333y

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 06 July 2008 - 01:14 AM

Thank you, bleepingcomputer.com! Your guide "How to use ComboFix" saved my ass.

Yesterday, my laptop was hit by a virus that caused the following problems:
It would pop up links every few minutes saying to download anti-spyware software, it modified the time setting on my taskbar to say “VIRUS ALERT!,” my laptop could not see the C: drive, and the start menu no longer showed the Control Panel, Help and Support, Run …, etc.

I googled these symptoms and found a link to “Yahoo! Answers” where others had these problems. One responder thought this was the “AntiSpywareMaster” virus and suggested going to bleepingcomputer.com to download and run ComboFix.

I just ran ComboFix, which seems to have fixed the problems. However, per your website, I am posting my ComboFox log (copied below) in case my laptop has any infections left over.

Thanks in advance for your help.

+++++++++++++++++++++++++++++++++++++

ComboFix 08-07-05.1 - c3333y 2008-07-05 21:36:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.471 [GMT -7:00]
Running from: C:\Documents and Settings\C3333y\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\C3333y\Application Data\inst.exe
C:\Documents and Settings\C3333y\Favorites\Error Cleaner.url
C:\Documents and Settings\C3333y\Favorites\Privacy Protector.url
C:\Documents and Settings\C3333y\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\{3C66EBBF-0726-1033-0929-060315060001}
C:\Program Files\Common Files\{BC66EBBF-0726-1033-0929-060315060001}
C:\Program Files\Common Files\{BC66EBBF-0727-1033-0929-060315060001}
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.tmp
C:\WINDOWS\system32\bjkubhrx.ini
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\yivchvfi.ini
C:\WINDOWS\system32\yivchvfi.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-05 09:25 . 2008-07-05 09:25 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-04 12:06 . 2008-07-04 12:06 <DIR> d-------- C:\Program Files\ThreatFire
2008-07-04 12:06 . 2008-07-04 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-04 12:06 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-07-04 12:06 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-07-04 12:06 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-07-04 12:06 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-07-04 11:02 . 2008-07-04 12:26 <DIR> d-------- C:\Program Files\tclock
2008-07-04 10:03 . 2008-07-03 16:52 180,224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-04 10:03 . 2008-07-03 16:52 155,648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-04 10:03 . 2008-07-03 16:52 86,016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-06-27 22:03 . 2008-06-28 08:55 <DIR> d-------- C:\Documents and Settings\C3333y\Application Data\HouseCall 6.6
2008-06-26 12:00 . 1998-11-03 12:38 204,800 --------- C:\WINDOWS\system32\adfactry.dll
2008-06-26 12:00 . 1998-11-03 12:38 123,392 --------- C:\WINDOWS\system32\dzip32.dll
2008-06-26 12:00 . 1998-11-03 12:38 96,768 --------- C:\WINDOWS\system32\dunzip32.dll
2008-06-26 12:00 . 1998-11-03 12:38 60,928 --------- C:\WINDOWS\system32\sfxbe322.dll
2008-06-26 12:00 . 1998-11-03 12:38 60,416 --------- C:\WINDOWS\system32\sfxbe321.dll
2008-06-26 12:00 . 1998-11-03 12:38 54,272 --------- C:\WINDOWS\system32\sfxfe32.exe
2008-06-26 12:00 . 1998-11-03 12:38 14,848 --------- C:\WINDOWS\system32\adreg32.exe
2008-06-26 11:59 . 1999-11-02 01:44 417,792 --------- C:\WINDOWS\system32\fxdb.dll
2008-06-26 11:59 . 1999-11-02 01:55 122,880 --------- C:\WINDOWS\system32\FXAB32.DLL
2008-06-26 11:57 . 2008-06-26 11:57 <DIR> d-------- C:\Program Files\Corel
2008-06-26 11:57 . 1998-08-11 15:04 1,213,440 --------- C:\WINDOWS\system32\opengl.dll
2008-06-26 11:57 . 1998-08-11 15:04 315,904 --------- C:\WINDOWS\system32\glu.dll
2008-06-26 11:57 . 1998-08-11 15:04 154,624 --------- C:\WINDOWS\system32\glut.dll
2008-06-26 11:57 . 1999-11-02 03:52 131,072 --------- C:\WINDOWS\system32\shellwp.dll
2008-06-26 11:57 . 1998-08-10 13:45 46,592 --------- C:\WINDOWS\system32\csh.dll
2008-06-26 11:57 . 1999-07-06 13:09 28,252 --------- C:\WINDOWS\corelpf.lrs
2008-06-26 11:57 . 1998-08-10 13:46 7,680 --------- C:\WINDOWS\system32\shlwp9en.dll
2008-06-26 11:54 . 2008-06-26 12:07 <DIR> d-------- C:\WINDOWS\Corel
2008-06-25 20:23 . 2008-06-25 20:28 <DIR> d-------- C:\Program Files\Nancy Drew - The Haunted Carousel
2008-06-25 19:14 . 2008-06-25 19:14 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-25 14:52 . 2008-06-28 14:29 <DIR> d-------- C:\Documents and Settings\C3333y\.housecall6.6
2008-06-25 13:39 . 2008-06-25 13:39 103 --a------ C:\WINDOWS\pro.INI
2008-06-23 16:48 . 2008-06-23 16:51 <DIR> dr-h-c--- C:\$VAULT$.AVG
2008-06-23 11:43 . 2008-07-04 17:21 <DIR> d-------- C:\Documents and Settings\C3333y\Application Data\uTorrent
2008-06-23 11:38 . 2008-06-23 11:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-23 11:38 . 2008-06-23 11:38 <DIR> d-------- C:\Program Files\Microsoft Student
2008-06-23 11:38 . 2008-06-23 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-23 11:37 . 2008-06-23 11:37 <DIR> d-------- C:\Program Files\JAM Software
2008-06-23 11:36 . 2008-06-23 11:36 <DIR> d-------- C:\Program Files\TurboTax
2008-06-23 11:36 . 2008-06-25 13:39 <DIR> d-------- C:\Program Files\Teleport Pro
2008-06-23 11:36 . 2008-06-23 11:36 <DIR> d-------- C:\Program Files\PestPatrol
2008-06-23 11:36 . 2008-06-23 11:38 <DIR> d-------- C:\Program Files\JelloDashboard
2008-06-23 11:36 . 2008-06-25 21:38 <DIR> d-------- C:\Program Files\gnubg
2008-06-23 11:36 . 2008-06-23 11:36 <DIR> d-------- C:\Program Files\FrostWire
2008-06-23 11:36 . 2008-07-04 14:40 <DIR> d-------- C:\Program Files\BatchRename Pro
2008-06-23 11:33 . 2008-06-23 11:33 <DIR> d-------- C:\Program Files\uTorrent
2008-06-23 11:33 . 2008-07-02 17:02 <DIR> d-------- C:\Program Files\Unlocker
2008-06-23 11:33 . 2008-06-23 11:33 <DIR> d-------- C:\Program Files\Thinkmo
2008-06-23 11:33 . 2008-06-23 11:33 <DIR> d-------- C:\Program Files\Minilyrics
2008-06-23 11:33 . 2008-06-28 11:35 <DIR> d-------- C:\Program Files\Juice
2008-06-23 11:33 . 2008-07-04 15:21 <DIR> d-------- C:\Program Files\iPod
2008-06-23 11:33 . 2008-06-23 11:33 <DIR> d-------- C:\Program Files\Avira
2008-06-23 11:25 . 2008-06-23 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-22 21:41 . 2008-06-22 21:41 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-06-22 21:41 . 2008-06-23 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-06-22 10:40 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-22 10:40 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-18 17:28 . 2008-06-18 17:28 <DIR> d-------- C:\Documents and Settings\C3333Y\LOCALS~1
2008-06-18 17:28 . 2008-06-18 17:28 <DIR> d-------- C:\Documents and Settings\C3333Y
2008-06-18 13:03 . 2008-07-05 12:21 <DIR> d---s---- C:\Documents and Settings\C3333y
2008-06-16 07:45 . 2008-06-16 07:45 0 --a------ C:\WINDOWS\Game.INI
2008-06-15 17:41 . 2008-06-15 17:41 <DIR> d-------- C:\Program Files\iTunes
2008-06-15 17:39 . 2008-06-15 17:39 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-15 17:38 . 2008-06-15 17:38 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 17:38 . 2008-06-15 17:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-15 17:38 . 2008-06-15 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 04:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 01:35 --------- d-----w C:\Documents and Settings\C3333y\Application Data\MiniLyrics
2008-06-28 15:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-26 19:07 --------- d-----w C:\Program Files\Common Files\BDE
2008-06-26 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-06-25 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-25 20:19 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-19 01:45 --------- d-----w C:\Program Files\Yahoo!
2008-06-19 00:25 --------- d-----w C:\Documents and Settings\C3333y\Application Data\Vso
2008-06-16 00:41 --------- d-----w C:\Documents and Settings\C3333y\Application Data\Apple Computer
2008-06-16 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-16 00:40 --------- d-----w C:\Program Files\QuickTime Alternative
2008-06-15 23:15 --------- d-----w C:\Documents and Settings\C3333y\Application Data\DivX
2008-06-13 19:27 --------- d-----w C:\Documents and Settings\C3333y\Application Data\Roxio
2008-06-11 14:18 --------- d-----w C:\Program Files\DivX
2008-06-03 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Barbie Fashion Show
2008-06-01 09:25 --------- d-----w C:\Documents and Settings\C3333y\Application Data\BatchRename
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-30 06:19 --------- d-----w C:\Documents and Settings\C3333y\Application Data\WordWeb
2008-05-30 05:02 --------- d-----w C:\Program Files\WordWeb
2008-05-30 01:17 --------- d-----w C:\Documents and Settings\C3333y\Application Data\JAM Software
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-05-18 05:02 --------- d-----w C:\Documents and Settings\C3333y\Application Data\FrostWire
2008-05-17 06:08 --------- d-----w C:\Documents and Settings\C3333y\Application Data\Research In Motion
2008-05-17 05:47 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-17 05:43 --------- d-----w C:\Program Files\Roxio
2008-05-17 05:38 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-05-17 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-05-17 05:21 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-05-17 04:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-05-17 03:32 --------- d-----w C:\Documents and Settings\C3333y\Application Data\InstallShield
2008-05-17 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-15 01:01 --------- d-----w C:\Documents and Settings\C3333y\Application Data\Ashampoo
2008-05-15 01:00 --------- d-----w C:\Program Files\Ashampoo
2008-05-15 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:07 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-05-07 02:53 --------- d-----w C:\Program Files\WMR11
2008-05-06 05:45 --------- d-----w C:\Documents and Settings\C3333y\Application Data\iPodder
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-30 03:01 47,360 -c--a-w C:\Documents and Settings\C3333y\Application Data\pcouffin.sys
2007-08-24 21:53 1,663 ----a-w C:\WINDOWS\inf\COMFD.tmp
2007-02-03 16:31 1,155 -c--a-w C:\Documents and Settings\C3333y\Application Data\SAS7_000.DAT
2006-12-10 18:05 81,920 ----a-w C:\Documents and Settings\C3333y\Application Data\ezpinst.exe
2006-11-17 02:42 0 -c--a-w C:\Documents and Settings\C3333y\Application Data\wklnhst.dat
2004-09-18 22:28 20,480 ----a-w C:\WINDOWS\inf\WtUninst.exe
1999-01-15 16:51 266 ----a-w C:\Program Files\internet explorer\plugins\Efile.dll
2006-01-25 15:38 108 -csha-r C:\WINDOWS\neoqaz2.dll
2007-08-24 22:06 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-08-24 22:06 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-08-24 22:06 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B0DBF6AE-D8A1-47E3-9E8A-EE9D41D9BE1C}"= "C:\WINDOWS\nqgpedlr.dll" [2008-07-03 16:52 155648]

[HKEY_CLASSES_ROOT\clsid\{b0dbf6ae-d8a1-47e3-9e8a-ee9d41d9be1c}]
[HKEY_CLASSES_ROOT\nqgpedlr.1]
[HKEY_CLASSES_ROOT\TypeLib\{7E6B5CA2-34AC-456B-A0F8-CD9FFE96FE31}]
[HKEY_CLASSES_ROOT\nqgpedlr]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"PureText"="C:\Program Files\PureText\PureText.exe" [2003-08-21 02:00 28672]
"DellSupport"="C:\PROGRA~1\DELLSU~1\DSAgnt.exe" [2006-07-16 19:29 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 09:48 761947]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 03:03 7557120]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40 218032]
"HotKeyz.exe Startup"="C:\Program Files\Skynergy\HotKeyz\HotKeyz.exe" [2006-11-21 11:05 837632]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]
"vptray"="C:\PROGRA~1\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2003-05-21 02:21 90112]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]

C:\Documents and Settings\C3333y\Start Menu\Programs\Startup\
Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]
tclock.lnk - C:\Program Files\tclock\tclock.exe [2008-07-04 11:03:44 44544]
WordWeb Pro.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-05-29 22:02:51 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"axrfgvek"= {5624B73B-85BA-4A9C-AC26-B8A5AAC12552} - C:\WINDOWS\axrfgvek.dll [2008-07-03 16:52 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"mixer"= APTRRNTm.dll
"wave"= APTRRNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-12 06:18 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-07-16 19:29 389120 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 06:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-01-26 23:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
--a------ 2006-10-27 16:48 507904 C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeyz.exe]
--a------ 2006-11-21 11:05 837632 C:\Program Files\Skynergy\HotKeyz\HotKeyz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 16:15 600896 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-09-11 04:40 218032 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 04:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--a------ 2003-09-10 00:24 20480 C:\Program Files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-21 03:03 7557120 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2006-03-21 03:03 73728 C:\WINDOWS\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-03-21 03:03 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 14:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"UxTuneUp"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RichVideo"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"EvtEng"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\Quickset.exe
"SigmatelSysTrayApp"=stsystra.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16747:TCP"= 16747:TCP:BitComet 16747 TCP
"16747:UDP"= 16747:UDP:BitComet 16747 UDP
"18934:TCP"= 18934:TCP:BitComet 18934 TCP
"18934:UDP"= 18934:UDP:BitComet 18934 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-10 08:44]
S4 agony;agony;C:\DOCUME~1\C3333Y\LOCALS~1\Temp\_ir_sf7_temp_1\agony.sys []
S4 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-01-17 21:54]
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-12 06:30]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d46dba37-bb42-11dc-b791-0015c5509cae}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d46dba39-bb42-11dc-b791-0015c5509cae}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 06:49:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-06-16 00:39:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{F96A5715-5022-4982-83E4-D051EC7DDC71} - C:\WINDOWS\kgqfweltafd.dll
HKLM-Run-RegistryMechanic - (no file)
Notify-AutorunsDisabled - WRLogonNTF.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 21:45:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-07-05 21:51:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 04:51:38

Pre-Run: 31,469,867,008 bytes free
Post-Run: 31,467,851,776 bytes free

378 --- E O F --- 2008-06-25 19:59:11

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:05:20 PM

Posted 06 July 2008 - 01:34 AM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users