Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coolwebsearch, And Trojandownloader.xs


  • This topic is locked This topic is locked
14 replies to this topic

#1 LoneShark

LoneShark

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 10 July 2008 - 01:52 PM

I have been trying to remove these two infections for some time now. I cannot access my task manager and receive lots of pop-ups. I have tried running cwshredder and smitfraudfix to eliminate them, but they continue to be a pest. Have Avast antivirus installed, but only after the infection. My hijack this log seems short to me compared to others, but it is all it shows. It is a Gateway Laptop which the dvd drive in it has not been working for a while so i'm unable to reformat the harddrive and hoping there is another way to clean it up. Any help would be appriciated, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:26 PM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\uoyzsydz.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\qcntktdm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\GetPack\GetPack19.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: {9fce35c3-79f0-c84a-9fe4-99e03e2057d0} - {0d7502e3-0e99-4ef9-a48c-0f973c53ecf9} - C:\WINDOWS\system32\uvxdtj.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {8E5482BA-1F9C-462A-A516-2D03317D811B} - C:\WINDOWS\system32\yayvuRKC.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: gooochi browser optimizer - {c3bae379-c90d-8e78-d7bf-d6cfdc8ba595} - C:\WINDOWS\system32\ifovdrwrxfacis.dll
O2 - BHO: (no name) - {C738F3D2-1891-449D-AE67-D1969094F1DF} - C:\WINDOWS\system32\ddcDvtQK.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [{43f80fb7-2bba-e8b4-6c7b-213be9a3dd3a}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\ifovdrwrxfacis.dll" DllStart
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntktdm.exe DWram02
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00e8f934] rundll32.exe "C:\WINDOWS\system32\ocuitpqe.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BM03dbcaa8] Rundll32.exe "C:\WINDOWS\system32\xreskkad.dll",s
O4 - HKCU\..\Run: [zrkw] C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\cqbrjg.exe
O4 - HKCU\..\Run: [SearchAndDestroyT] C:\Program Files\Search And Destroy\SearchAndDestroy.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntktdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rswnw64n.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: ddcDvtQK - C:\WINDOWS\SYSTEM32\ddcDvtQK.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8654 bytes

BC AdBot (Login to Remove)

 


m

#2 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 10 July 2008 - 03:32 PM

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you must be checked by one of the teachers. Thus, there may be a bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#3 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 11 July 2008 - 07:07 AM

Hello,

Step 1:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt in your next reply.
Step 2:
Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
    • Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
Step 3:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
Please post the following in your next reply:
  • The SDFix report
  • The Malwarebytes' Anti-Malware log
  • The contents of main.txt
  • The contents of extra.txt.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#4 LoneShark

LoneShark
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 11 July 2008 - 09:40 AM

Hello Carolyn, thanks for the very quick reply. For your first post, I tried to get the uninstall manager list for you, but when I click on the save list it just closes the program. I am unable to find the file anywhere if it did save it. After running sdfix the performance was increased and the background became solid blue instead of showing it was infected. When mbam finnished it asked to reboot to delete some files. After the reboot and files were deleted I recieved this error:

Rundll32.exe-Bad Image
The application or DLL C:\WINDOWS\system32\xreskkad.dll is not a valid windows image.

I did another reboot after that and didn't receive this error message again. I also noticed the background is now back to its correct setting and the task manager works again. When I ran DSS it would keep crashing just as it gets to examining event logs, so I was unable to get the logs needed for it.


SDFix: Version 1.204
Run by Administrator on Fri 07/11/2008 at 09:15

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted

Killing PID 820 'uoyzsydz.exe'
Killing PID 820 'uoyzsydz.exe'
Killing PID 820 'uoyzsydz.exe'


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ddcDvtQK.dll - Deleted
C:\WINDOWS\SYSTEM32\MSVOLUME.DLL - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\GetPack19.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\b156.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\uoyzsydz.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted



Folder C:\Documents and Settings\Owner\Application Data\SpeedRunner - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\mjc - Removed
Folder C:\Program Files\Sakora - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 09:24:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1196969440\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1196969440\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 18 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!



Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 5.1.2600 Service Pack 2

9:54:13 AM 7/11/2008
mbam-log-7-11-2008 (09-54-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94953
Time elapsed: 19 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 25
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ocuitpqe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayvuRKC.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4bce3b00-2977-446c-b106-e9c6ad9b4db1} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4bce3b00-2977-446c-b106-e9c6ad9b4db1} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00e8f934 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getpack19 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm03dbcaa8 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayvurkc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayvurkc -> Delete on reboot.

Folders Infected:
C:\WINDOWS\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\yayvuRKC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\CKRuvyay.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\CKRuvyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fyvyacvs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcayvyf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ocuitpqe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eqptiuco.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsh1B.tmp\System.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy\uninstall.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Search And Destroy Setup Log.txt (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxywULby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xreskkad.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\qcntktdm.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbinit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnlkKeb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqRLdEw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM03dbcaa8.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM03dbcaa8.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\rasesnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by LoneShark, 11 July 2008 - 09:43 AM.


#5 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 12 July 2008 - 07:02 AM

Hello,

I would like you to try running Deckard's System Scanner in Safe Mode.


Please print these instructions or save them on your computer by copying the text and pasting them into notepad. You will want to have them available while the computer is in Safe Mode.


Boot to Safe Mode
Please print the instructions below or copy and paste to Notepad since you will not have internet access while in Safe Mode.

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, continually press F8.
* Instead of Windows loading as normal, a menu should appear
* Select the first option, to run Windows in Safe Mode.

Run Deckard's System Scanner
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Save the two text files to your Desktop so you can find them easily after you boot the computer back to Normal Mode.
Next, boot back to Normal Mode then scan with HijackThis and post the fresh log.


To recap, please post the following:
  • main.txt
  • extra.txt
  • HijackThis log

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#6 LoneShark

LoneShark
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 12 July 2008 - 04:12 PM

Hello again, dss did run all the way through and here are the logs.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-12 17:00:29
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01:16, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cwshredder.net/cwshredder/cwsredir.php?target=tmas
O2 - BHO: {9fce35c3-79f0-c84a-9fe4-99e03e2057d0} - {0d7502e3-0e99-4ef9-a48c-0f973c53ecf9} - C:\WINDOWS\system32\uvxdtj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {c3bae379-c90d-8e78-d7bf-d6cfdc8ba595} - C:\WINDOWS\system32\ifovdrwrxfacis.dll
O4 - HKLM\..\Run: [{43f80fb7-2bba-e8b4-6c7b-213be9a3dd3a}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\ifovdrwrxfacis.dll" DllStart
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4341 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 httpp - c:\windows\system32\drivers\httpp.sys (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Rhine II Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_0216107B&REV_78\3&61AAA01&1&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Rhine II Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_0216107B&REV_78\3&61AAA01&1&90
Service: FETND5BV


-- Scheduled Tasks -------------------------------------------------------------

2008-07-12 16:55:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-11 09:32:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-11 09:32:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 09:32:24 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 09:05:11 0 d-------- C:\WINDOWS\ERUNT
2008-07-11 08:51:09 0 d-------- C:\Program Files\Trend Micro
2008-07-10 12:32:10 0 d-------- C:\fsaua.data
2008-07-10 12:13:22 3348 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-10 12:12:27 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-10 12:12:27 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-10 12:12:27 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-10 12:12:27 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-10 12:12:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-10 12:12:27 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-10 12:12:27 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-10 12:12:27 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-10 09:33:36 0 d-------- C:\Program Files\Windows Defender
2008-07-10 07:27:59 105232 --a------ C:\WINDOWS\system32\uvxdtj.dll
2008-07-10 07:27:57 105232 --a------ C:\WINDOWS\system32\akbnivqa.dll
2008-07-10 07:26:24 81120 -----n--- C:\WINDOWS\system32\ocuitpqe.dll
2008-07-09 14:40:16 90816 -----n--- C:\WINDOWS\system32\xreskkad.dll
2008-07-09 14:32:43 192582 -----n--- C:\WINDOWS\system32\qcntktdm.exe
2008-07-09 10:25:32 0 d-------- C:\Program Files\Lavasoft
2008-07-09 10:25:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 10:24:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 09:58:42 0 d-------- C:\WINDOWS\pss
2008-07-09 09:22:48 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-09 09:22:48 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-09 09:22:48 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-09 09:22:48 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-09 09:22:48 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-09 09:22:48 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-09 09:22:48 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-09 09:22:48 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-09 09:22:48 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-09 09:22:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-09 09:22:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-09 09:22:48 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-09 09:22:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-09 09:22:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-09 09:22:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-09 09:22:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-09 09:22:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-07-09 09:22:47 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-09 08:38:07 1955 --ahs---- C:\WINDOWS\system32\CKRuvyay.ini2
2008-07-09 08:38:00 314672 -----n--- C:\WINDOWS\system32\yayvuRKC.dll
2008-07-09 08:33:41 0 d-------- C:\WINDOWS\system32\6835
2008-07-08 15:39:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-08 15:39:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-08 15:38:48 0 d-------- C:\Program Files\Common Files\s?curity
2008-07-08 15:38:42 64332 --a------ C:\WINDOWS\system32\xaorpdeoelb.exe
2008-07-08 15:38:39 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-08 15:38:30 152079 --a------ C:\WINDOWS\system32\g54.exe
2008-07-08 15:38:13 0 d--hs---- C:\WINDOWS\IA
2008-07-08 15:37:59 0 d-------- C:\WINDOWS\system32\wNT
2008-07-08 15:37:59 0 d-------- C:\WINDOWS\system32\tfig
2008-07-08 15:37:59 0 d-------- C:\WINDOWS\system32\net
2008-07-08 15:37:59 0 d-------- C:\WINDOWS\system32\cREG
2008-07-08 15:37:59 0 d-------- C:\WINDOWS\system32\1030
2008-07-08 15:37:53 0 d-------- C:\WINDOWS\system32\olixds01
2008-07-02 09:41:32 158208 --a------ C:\WINDOWS\system32\ifovdrwrxfacis.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-10 10:29:21 0 d-------- C:\Program Files\Java
2008-07-09 10:24:49 0 d-------- C:\Program Files\Common Files
2008-07-09 10:16:16 0 d-------- C:\Program Files\BigFix
2008-07-09 09:56:29 0 d-------- C:\Program Files\Common Files\s?curity


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0d7502e3-0e99-4ef9-a48c-0f973c53ecf9}]
07/10/2008 07:27 105232 --a------ C:\WINDOWS\system32\uvxdtj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c3bae379-c90d-8e78-d7bf-d6cfdc8ba595}]
07/02/2008 09:41 158208 --a------ C:\WINDOWS\system32\ifovdrwrxfacis.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{43f80fb7-2bba-e8b4-6c7b-213be9a3dd3a}"="C:\WINDOWS\system32\ifovdrwrxfacis.dll" [07/02/2008 09:41]
"VTTrayp"="VTtrayp.exe" [11/01/2005 09:15 C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [03/08/2005 08:33 C:\WINDOWS\system32\VTTimer.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/07/2005 17:52]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 07:01]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/06/2007 15:31]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50]
"AGRSMMSG"="AGRSMMSG.exe" [10/14/2005 19:29 C:\WINDOWS\AGRSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 19:19]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 15:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"cmdService"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-07-12 17:01:53 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.50GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 446.04 MiB / 287.68 MiB
Pagefile Memory (total/avail): 1054.78 MiB / 962.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.72 MiB

C: is Fixed (NTFS) - 51.42 GiB total, 45.32 GiB free.
D: is Fixed (FAT32) - 4.45 GiB total, 2.22 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2060AT PL - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 51.42 GiB - C:
\PARTITION1 - Unknown - 4.46 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: v (McAfee) Disabled
AV: avast! antivirus 4.8.1201 [VPS 080711-0] v4.8.1201 (ALWIL Software)
AV: v (McAfee) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1196969440\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1196969440\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PHANTOMFIRE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\PHANTOMFIRE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=PHANTOMFIRE
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems AC'97 Modem --> agrsmdel
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\xaorpdeoelb.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458) -->
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}


-- Application Event Log -------------------------------------------------------

Event Record #/Type360 / Error
Event Submitted/Written: 07/12/2008 05:01:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type359 / Error
Event Submitted/Written: 07/12/2008 05:01:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type358 / Error
Event Submitted/Written: 07/12/2008 05:01:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type357 / Error
Event Submitted/Written: 07/12/2008 05:01:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type356 / Error
Event Submitted/Written: 07/12/2008 05:01:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6049 / Error
Event Submitted/Written: 07/12/2008 04:59:48 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type6048 / Error
Event Submitted/Written: 07/12/2008 04:59:46 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type6047 / Error
Event Submitted/Written: 07/12/2008 04:59:37 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type6046 / Error
Event Submitted/Written: 07/12/2008 04:53:17 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswSP
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Event Record #/Type6045 / Error
Event Submitted/Written: 07/12/2008 04:53:17 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-12 17:01:53 ------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:07 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: {9fce35c3-79f0-c84a-9fe4-99e03e2057d0} - {0d7502e3-0e99-4ef9-a48c-0f973c53ecf9} - C:\WINDOWS\system32\uvxdtj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {c3bae379-c90d-8e78-d7bf-d6cfdc8ba595} - C:\WINDOWS\system32\ifovdrwrxfacis.dll
O4 - HKLM\..\Run: [{43f80fb7-2bba-e8b4-6c7b-213be9a3dd3a}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\ifovdrwrxfacis.dll" DllStart
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [zrkw] C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
O4 - HKCU\..\Run: [SearchAndDestroyT] C:\Program Files\Search And Destroy\SearchAndDestroy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 5168 bytes

#7 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 13 July 2008 - 09:47 AM

Hello,

Step 1:Remove Malware Programs
Please Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Enhancement Browser Tools Gooochi
Search and Destroy


If either program listed is not present, please do not panic


Step 2: We will begin with ComboFix.exe

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#8 LoneShark

LoneShark
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 13 July 2008 - 12:23 PM

Okay, here is the combofix and new hijack this log.

ComboFix 08-07-12.6 - Owner 2008-07-13 13:10:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.172 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\My Documents\SSEMBL~1
C:\Program Files\Common Files\scurit~1
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\IA
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akbnivqa.dll
C:\WINDOWS\system32\CKRuvyay.ini
C:\WINDOWS\system32\CKRuvyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ocuitpqe.dll
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\qcntktdm.exe
C:\WINDOWS\system32\xreskkad.dll
C:\WINDOWS\system32\yayvuRKC.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.

2008-07-11 10:08 . 2008-07-11 10:08 <DIR> d-------- C:\Deckard
2008-07-11 09:32 . 2008-07-11 09:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 09:32 . 2008-07-11 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-11 09:32 . 2008-07-11 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 09:32 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-11 09:32 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-11 09:05 . 2008-07-11 09:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-11 08:59 . 2008-07-11 09:30 <DIR> d-------- C:\SDFix
2008-07-11 08:51 . 2008-07-11 08:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 12:32 . 2008-07-10 12:32 <DIR> d-------- C:\fsaua.data
2008-07-10 12:13 . 2008-07-10 12:13 3,348 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-10 12:12 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-10 12:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-10 12:12 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-10 12:12 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-10 12:12 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-10 12:12 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-10 12:12 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-10 12:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-10 12:12 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-10 10:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-10 09:33 . 2008-07-10 09:33 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-09 10:25 . 2008-07-09 10:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-09 10:25 . 2008-07-09 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 10:24 . 2008-07-09 10:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 09:22 . 2007-12-06 14:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-09 09:22 . 2007-12-06 15:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-09 09:22 . 2007-12-06 15:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-09 09:22 . 2007-12-08 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-07-09 09:22 . 2008-07-09 09:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-09 08:44 . 2008-07-09 08:44 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-07-09 08:33 . 2008-07-09 14:31 <DIR> d-------- C:\WINDOWS\system32\6835
2008-07-08 15:38 . 2008-07-08 15:38 152,079 --a------ C:\WINDOWS\system32\g54.exe
2008-07-08 15:38 . 2004-08-04 15:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-08 15:37 . 2008-07-10 08:41 <DIR> d-------- C:\WINDOWS\system32\wNT
2008-07-08 15:37 . 2008-07-09 11:07 <DIR> d-------- C:\WINDOWS\system32\tfig
2008-07-08 15:37 . 2008-07-10 08:39 <DIR> d-------- C:\WINDOWS\system32\olixds01
2008-07-08 15:37 . 2008-07-09 11:07 <DIR> d-------- C:\WINDOWS\system32\net
2008-07-08 15:37 . 2008-07-10 08:32 <DIR> d-------- C:\WINDOWS\system32\cREG
2008-07-08 15:37 . 2008-07-10 08:31 <DIR> d-------- C:\WINDOWS\system32\1030
2008-07-08 15:37 . 2008-07-08 15:38 <DIR> d-------- C:\TEMP\stmpv4
2008-06-27 22:57 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-27 22:57 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 14:29 --------- d-----w C:\Program Files\Java
2008-07-09 14:16 --------- d-----w C:\Program Files\BigFix
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-12-08 18:33 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-10-22 14:34 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 17:52 737370]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 07:01 32768]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 21:24 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 02:42 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-06 15:31 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [2005-03-08 08:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 19:29 88203 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"cmdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S1 httpp;httpp;C:\WINDOWS\system32\drivers\httpp.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 17:18:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-zrkw - C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
HKCU-Run-SearchAndDestroyT - C:\Program Files\Search And Destroy\SearchAndDestroy.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 13:15:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-13 13:18:44 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-07-13 17:18:40

Pre-Run: 47,806,558,208 bytes free
Post-Run: 48,380,690,432 bytes free

158 --- E O F --- 2008-07-13 04:13:30


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:00 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4674 bytes

#9 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 14 July 2008 - 06:18 AM

Hello,

Step 1:
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\g54.exe
C:\WINDOWS\system32\beep.sys

Folder::
C:\WINDOWS\system32\6835
C:\WINDOWS\system32\wNT
C:\WINDOWS\system32\tfig
C:\WINDOWS\system32\olixds01
C:\WINDOWS\system32\net
C:\WINDOWS\system32\cREG
C:\WINDOWS\system32\1030
C:\TEMP\stmpv4

Driver::
httpp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=-
"cmdService"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step 2:
Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Please post the following:
  • The ComboFix log
  • The Kaspersky log
  • A fresh HijackThis log
  • A description of how your computer is behaving.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#10 LoneShark

LoneShark
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 14 July 2008 - 08:39 AM

Hello, So far the computer has been running a lot smoother, with a much quicker boot time than when we started out. Before it did have one pop-up even while not using the internet. So far that I know of, since this last run, I have yet to see a pop-up. Here are the logs:

ComboFix 08-07-12.6 - Owner 2008-07-14 7:43:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g54.exe
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\TEMP\stmpv4
C:\TEMP\stmpv4\bnwe7.log
C:\WINDOWS\system32\1030
C:\WINDOWS\system32\6835
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\cREG
C:\WINDOWS\system32\g54.exe
C:\WINDOWS\system32\net
C:\WINDOWS\system32\olixds01
C:\WINDOWS\system32\tfig
C:\WINDOWS\system32\wNT
C:\WINDOWS\system32\ZoneAlarmIconUS.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HTTPP
-------\Service_httpp


((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-11 10:08 . 2008-07-11 10:08 <DIR> d-------- C:\Deckard
2008-07-11 09:32 . 2008-07-11 09:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 09:32 . 2008-07-11 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-11 09:32 . 2008-07-11 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 09:32 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-11 09:32 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-11 09:05 . 2008-07-11 09:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-11 08:59 . 2008-07-11 09:30 <DIR> d-------- C:\SDFix
2008-07-11 08:51 . 2008-07-11 08:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 12:32 . 2008-07-10 12:32 <DIR> d-------- C:\fsaua.data
2008-07-10 12:13 . 2008-07-10 12:13 3,348 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-10 12:12 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-10 12:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-10 12:12 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-10 12:12 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-10 12:12 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-10 12:12 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-10 12:12 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-10 12:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-10 12:12 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-10 10:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-10 09:33 . 2008-07-10 09:33 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-09 10:25 . 2008-07-09 10:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-09 10:25 . 2008-07-09 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 10:24 . 2008-07-09 10:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 09:22 . 2007-12-06 14:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-09 09:22 . 2007-12-06 15:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-09 09:22 . 2007-12-06 15:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-09 09:22 . 2007-12-08 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-07-09 09:22 . 2008-07-09 09:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-27 22:57 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-27 22:57 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 14:29 --------- d-----w C:\Program Files\Java
2008-07-09 14:16 --------- d-----w C:\Program Files\BigFix
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-12-08 18:33 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-10-22 14:34 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-07-13_13.18.27.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-13 17:14:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-14 11:46:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-14 11:47:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 17:52 737370]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 07:01 32768]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 21:24 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 02:42 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-06 15:31 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [2005-03-08 08:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 19:29 88203 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 11:50:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 07:47:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-14 7:50:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 11:50:42
ComboFix2.txt 2008-07-13 17:18:45

Pre-Run: 48,368,951,296 bytes free
Post-Run: 48,359,628,800 bytes free

149 --- E O F --- 2008-07-13 04:13:30


KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build
2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 14, 2008 12:17:38
Records in database: 951514


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaMy Computer
C:\
D:\
E:\

Scan statistics
Files scanned50587
Threat name3
Infected objects4
Suspicious objects0
Duration of the scan01:18:39

File nameThreat nameThreats count
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exeInfected:
not-a-virus:RiskTool.Win32.Reboot.f1

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exeInfected:
not-a-virus:RiskTool.Win32.Reboot.f1

C:\QooBox\Quarantine\catchme2008-07-13_131516.65.zipInfected:
Hoax.Win32.Renos.vaff1

D:\i386\Apps\App00577\comps\toolbar\toolbr.exeInfected:
not-a-virus:AdWare.Win32.SearchIt.t1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:34 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4723 bytes

#11 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 14 July 2008 - 02:45 PM

Hello,

There is a file I would like you to upload so that it can be scanned for malware:

Upload file for scanning

D:\i386\Apps\App00577\comps\toolbar\toolbr.exe

  • Copy/Paste the file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
The file you just uploaded, if not infected, may be a process associated with AOL. Is AOL your internet provider?


Next, your logs show signs of McAfee software products on your computer. I'm guessing that you had uninstalled the McAfee software and what I am seeing are "left-overs". Those need to be dealt with because
they can cause system instability.


Dowload and save McAfee Removal Tool to your desktop.

Run it to remove McAfee. After this, please restart your computer.



Next, your uninstall list includes an older version of Java. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove the older version Java component.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs.
  • Check J2SE Runtime Environment 5.0 Update 2.
  • Click the Remove or Change/Remove button.
  • Reboot your computer once the Java component is removed.
I can see from your logs that you are using Windows Firewall.

FIREWALL
Without a 3rd party firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.
It's preferable to install one of the suggested firewalls.

FREE FIREWALLS
Tutorial about Firewalls can be found here


Please post the following in your next reply:
  • The Virustotal/Jotti results
  • Information regarding your Internet Service Provider (ISP)
  • A fresh HijackThis log.
  • A description of how your computer is behaving.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#12 LoneShark

LoneShark
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 15 July 2008 - 08:14 AM

Hello, tried to upload the file to scan online. When browsing to the file, it is located inside of a system restore folder that I can not acess. The D: is called recover, I have been wondering about that whole drive. Never seen anything like it on a computer, though I use a PC instead of labtops.

We use Charter Communications has our service provider and have the modem connecting to a linksys wireless router. Most computers are using the wireless connection.

From the way the computer is behaving, I would say that it does not seem to be infected by a single trojan. Very smooth and quick.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:44 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4956 bytes

#13 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 15 July 2008 - 01:56 PM

Hello LoneShark,

The D: drive is called a Recovery Partition. Since your DVD drive is borked, the Recovery Partition is an especially nice feature for you to have installed on this computer.

The Recovery Partition contains all of the Operating System drivers and files that are needed to restore the original installation.

Wikipedia's info on Recovery Partitions
Gateway's FAQ's


Remove bad HijackThis entry
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside the items listed below (if present):

    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

Please delete the following from your computer:
  • SDFix.exe
  • DSS.exe
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Continue to use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE
Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:

    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK


  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#14 LoneShark

LoneShark
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 July 2008 - 07:28 AM

Hello, thanks for all the help. Normally with the problems I had this time I would have just reformated, but that wasn't an option this time around. I would say that the computer is runing the best I have seen in about a year now. Only thing that was strange is the avast resident protection icons were removed from the systray. I Didn't know if it was running or not so I just unistalled and and reinstalled to get it back to normal. I also removed the viewpoint manager, don't even know how it got installed. It's never even used.

Thanks again for all your help. Now I know where to go if I have anymore serious problems, hopefully not. Looks like your nearly done with your trainning, you were really helpfull. Take Care.

#15 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 July 2008 - 08:12 AM

You're welcome! :thumbsup:


This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users