Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurrent Infection Of Tcpsr.sys


  • This topic is locked This topic is locked
12 replies to this topic

#1 midge63

midge63

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 02 August 2008 - 08:35 PM

Hello all, this is my first time, so forgive my clumsiness or mistakes!

I have been having this problem for a week or so, and I just can't get rid of it!

Spybot tells me this is "Win32.Winlagons.co"

Trend Micro quarantines it is tcpsr.sys, and says it is found in C:\WINDOWS\system32\drivers

If anyone can help me destroy this thing forever, I will sing from the rooftops how brilliant you are!

Attaching DSS scan logs.

Thanks heaps!



Deckard's System Scanner v20071014.68
Run by Sheryl Davis on 2008-08-03 10:57:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 496 MiB (512 MiB recommended).


-- HijackThis (run as Sheryl Davis.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:45 AM, on 3/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\notepad.exe
c:\program files\common files\mozilla shared\firefox.exe
C:\Documents and Settings\Sheryl Davis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SHERYL~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E253389-2BC5-4C9B-932D-E190376AC4F3} - c:\windows\system32\ijmtmrh.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: .bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217587281971
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: vnuhofhs - C:\WINDOWS\SYSTEM32\ijmtmrh.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6667 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-02 20:30:05 71 --a------ C:\WINDOWS\8943439
2008-08-02 20:16:32 69 --a------ C:\WINDOWS\894315c
2008-08-02 20:15:39 71 --a------ C:\WINDOWS\8943183
2008-08-02 20:05:13 0 d-------- C:\Documents and Settings\Sheryl Davis\WINDOWS
2008-08-02 11:54:48 0 d-------- C:\WINDOWS\Profiles
2008-08-02 11:54:40 0 d-------- C:\WINDOWS\system32\Adobe
2008-08-02 11:54:40 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\InterTrust
2008-08-02 11:53:12 0 d-------- C:\Program Files\Nodtronics
2008-08-01 17:19:45 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-08-01 17:19:44 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-08-01 17:16:22 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-08-01 16:42:33 0 d-------- C:\WINDOWS\Prefetch
2008-08-01 09:05:41 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\Mozilla
2008-07-26 10:20:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 12:37:07 0 --a------ C:\WINDOWS\system32\Ultra.dll
2008-07-25 11:11:16 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-07-24 20:03:37 0 d-------- C:\Program Files\Emerald Hunt
2008-07-23 08:59:53 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\HouseCall 6.6
2008-07-20 09:51:34 0 d-------- C:\WINDOWS\system32\scripting
2008-07-20 09:51:08 0 d-------- C:\WINDOWS\l2schemas
2008-07-20 09:51:02 0 d-------- C:\WINDOWS\system32\en
2008-07-20 09:51:00 0 d-------- C:\WINDOWS\system32\bits
2008-07-20 09:14:40 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-07-20 09:03:45 14832 --a------ C:\WINDOWS\system32\asfsipc.dll <Not Verified; Microsoft Corporation; Microsoft ® DRM>
2008-07-20 04:35:18 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-20 01:11:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-07-20 01:11:05 0 d-------- C:\Program Files\Uniblue
2008-07-20 00:35:21 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 00:35:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data\rtmiybkq
2008-07-19 22:58:53 0 d-------- C:\Program Files\Online Services
2008-07-19 18:08:31 0 d-------- C:\Program Files\RegCure
2008-07-19 17:02:47 0 d-------- C:\Program Files\ACW
2008-07-19 15:33:15 0 dr-h----- C:\Documents and Settings\Sheryl Davis\Recent
2008-07-19 11:00:22 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\rtmiybkq
2008-07-18 09:11:48 30848 --a------ C:\WINDOWS\system32\drivers\Ekn71.sys


-- Find3M Report ---------------------------------------------------------------

2008-08-03 09:54:35 0 d-------- C:\Program Files\RegCleaner
2008-08-03 08:44:33 0 d-------- C:\Program Files\CCleaner
2008-08-02 17:03:48 0 d-------- C:\Program Files\Common Files
2008-08-01 16:18:54 22780 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-31 21:04:15 2068 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-30 16:25:13 0 d-------- C:\Program Files\Google
2008-07-30 15:16:43 50 --a------ C:\WINDOWS\system32\bridf05a.dat
2008-07-30 09:25:01 1956 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-25 20:19:00 0 d-------- C:\Program Files\iTunes
2008-07-25 15:48:23 0 d-------- C:\Program Files\Trend Micro
2008-07-25 10:57:02 0 d-------- C:\Program Files\Apple Software Update
2008-07-24 20:32:25 0 d-------- C:\Program Files\Windows NT
2008-07-24 20:32:03 0 d-------- C:\Program Files\Movie Maker
2008-07-24 20:31:55 0 d-------- C:\Program Files\Messenger
2008-07-22 15:38:02 31 --a------ C:\WINDOWS\popcinfo.dat
2008-07-20 20:01:06 0 d-------- C:\Program Files\iPod
2008-07-20 19:42:15 0 d-------- C:\Program Files\QuickTime
2008-07-20 01:11:36 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\Uniblue
2008-07-19 23:50:32 0 d-------- C:\Program Files\OptusNet DSL Internet
2008-07-19 15:44:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-11 15:48:46 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\SolSuite
2008-07-04 22:43:31 896746 --a------ C:\Documents and Settings\Sheryl Davis\Application Data\NMM-MetaData.db
2008-06-25 20:41:38 0 d-------- C:\Documents and Settings\Sheryl Davis\Application Data\Nokia Multimedia Player


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E253389-2BC5-4C9B-932D-E190376AC4F3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [26/01/2005 06:02 PM]
"PCSuiteTrayApplication"="C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 01:20 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [25/08/2006 11:25 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [17/03/2005 01:25 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [17/03/2005 01:45 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [17/05/2005 05:42 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\Sheryl Davis\Start Menu\Programs\Startup\
.bat [2/08/2008 6:57:14 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=00000000
"NoSaveSettings"=00000000
"ClearRecentDocsOnExit"=00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vnuhofhs]
ijmtmrh.dll 04/08/2004 10:00 PM 105472 C:\WINDOWS\system32\ijmtmrh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekn71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kcqbsbio




-- End of Deckard's System Scanner: finished at 2008-08-03 11:02:04 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 495.48 MiB / 162.46 MiB
Pagefile Memory (total/avail): 1158.73 MiB / 653.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.6 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 20.85 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security 2007 v15.00.1454 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\w7dvm.exe"="C:\\WINDOWS\\system32\\w7dvm.exe:*:Disabled:w7dvm"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sheryl Davis\Application Data
CLASSPATH=.;.;C:\PROGRA~1\JMF21~1.1E\lib\sound.jar;C:\PROGRA~1\JMF21~1.1E\lib\jmf.jar;C:\PROGRA~1\JMF21~1.1E\lib;
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-496A7662F4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sheryl Davis
LOGONSERVER=\\HOME-496A7662F4
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\PC Connectivity Solution\;C:\Program Files\Support Tools\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHERYL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHERYL~1\LOCALS~1\Temp
USERDOMAIN=HOME-496A7662F4
USERNAME=Sheryl Davis
USERPROFILE=C:\Documents and Settings\Sheryl Davis
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sheryl Davis (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC69B6-B2FE-442E-B106-A1E57DEBC5C1}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC69B6-B2FE-442E-B106-A1E57DEBC5C1}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Ancient Tripeaks --> C:\PROGRA~1\GAMEHO~1\Tripeaks\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\Tripeaks\INSTALL.LOG
Bejeweled 2 Deluxe 1.0 --> C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\Install.log"
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB9AC6BF-71B6-42A4-9689-C17D9F44E79A}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN Neeon 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD4E589A-C44A-4498-A8AF-6AFF09E07901}\SETUP.EXE" -l0x9 /remove
DBXTriever 2.91 --> "C:\Program Files\DBXTriever\unins000.exe"
Diamond Mine Deluxe 1.81y --> C:\Program Files\PopCap Games\Diamond Mine Deluxe\PopUninstall.exe C:\Program Files\PopCap Games\Diamond Mine Deluxe\Install.log
DX-Ball 1.09 --> C:\PROGRA~1\DX-Ball\UNWISE.EXE C:\PROGRA~1\DX-Ball\INSTALL.LOG
DX-Ball 2 --> "C:\Program Files\LDA Games\DX-Ball 2\uninstall-v2.exe"
Easy CD-DA Extractor 9.1.3 --> "C:\WINDOWS\Easy CD-DA Extractor\uninstall.exe" "/U:C:\Program Files\Easy CD-DA Extractor 9\irunin.xml"
Free Solitaire --> "C:\Program Files\FreeSolitaire\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\Sheryl Davis\Application Data\HouseCall 6.6\uninstaller.exe"
ImageEditor --> MsiExec.exe /I{B8016214-EB04-4158-9324-FD8D0A6E62FF}
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java Media Framework 2.1.1e --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JMF2.1.1e\Uninst.isu"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire PRO 4.12.4 --> "C:\Program Files\LimeWire\uninstall.exe"
Messenger Plus! Live --> "C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Documents\Messenger Plus! Live\Uninstall.exe"
Microsoft IEAK 6 --> rundll32 advpack.dll,LaunchINFSection ieak6.inf,IEAK.Uninstall
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Nokia_PC_Suite_683_rel_14_1_APAC.exe /LANG="2057"
Nokia PC Suite --> MsiExec.exe /I{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}
OptusNet DSL --> C:\Program Files\OptusNet DSL Internet\Uninstall.exe
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
PC Connectivity Solution --> MsiExec.exe /I{066D65EA-ED53-44E4-A96A-F81B6E409D2E}
PC Wizard 2006.1.70 --> "C:\Program Files\PC Wizard 2006\unins000.exe"
Pharaoh’s Ascent --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Pharaoh’s Ascent\DeIsL1.isu"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RegCure 1.5.0.1 --> C:\Program Files\RegCure\uninst.exe
Samsung PC Studio Internet Access 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F707550B-F147-4B50-9B1D-3B3BDBD7D712}\setup.exe" -l0x9
Samsung PC Studio PIM & File Manager 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC1A9319-2DDB-40F6-81B4-5EC6BF3B1CB1}\setup.exe" -l0x9
Siemens Subscriber Networks SpeedStream DSL --> C:\Program Files\Siemens Subscriber Networks\SpeedStream DSL\setup.exe -uninstall
SolSuite --> C:\Solsuite\SolSuite\UNWISE.EXE C:\Solsuite\SolSuite\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Super Collapse! II --> C:\PROGRA~1\GAMEHO~1\COLLAP~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\COLLAP~1\INSTALL.LOG
The Ultimate Troubleshooter --> C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
Thieves and Kings --> C:\Program Files\Things\Uninstall.exe
Trend Micro PC-cillin Internet Security 2007 --> msiexec.exe /i {BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
Typing Tutor --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Nodtronics\Typing Tutor\Uninst.isu"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Support Tools --> MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Your Uninstaller! 2006 Version 5 --> "C:\Program Files\Your Uninstaller 2006\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type8639 / Error
Event Submitted/Written: 08/02/2008 04:28:36 PM / 08/02/2008 04:28:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8638 / Error
Event Submitted/Written: 08/02/2008 04:28:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8635 / Warning
Event Submitted/Written: 08/02/2008 00:29:02 PM
Event ID/Source: 36 / WinMgmt
Event Description:
WMI ADAP was unable to load the Spooler performance library because it returned an invalid return code: 0x80041001

Event Record #/Type8634 / Warning
Event Submitted/Written: 08/02/2008 00:29:02 PM
Event ID/Source: 36 / WinMgmt
Event Description:
WMI ADAP was unable to load the Spooler performance library because it returned an invalid return code: 0x6ba

Event Record #/Type8633 / Error
Event Submitted/Written: 08/02/2008 00:28:37 PM
Event ID/Source: 2002 / PerfNet
Event Description:
Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38514 / Error
Event Submitted/Written: 08/02/2008 03:13:32 PM
Event ID/Source: 104 / SRService
Event Description:
The System Restore initialization process failed.

Event Record #/Type38513 / Error
Event Submitted/Written: 08/02/2008 03:12:20 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%5

Event Record #/Type38509 / Error
Event Submitted/Written: 08/02/2008 03:12:20 PM
Event ID/Source: 104 / SRService
Event Description:
The System Restore initialization process failed.

Event Record #/Type38508 / Error
Event Submitted/Written: 08/02/2008 03:05:13 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%5

Event Record #/Type38504 / Error
Event Submitted/Written: 08/02/2008 03:05:12 PM
Event ID/Source: 104 / SRService
Event Description:
The System Restore initialization process failed.



-- End of Deckard's System Scanner: finished at 2008-08-03 10:53:11 ------------

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:15 PM

Posted 05 August 2008 - 10:50 AM

Hi,

Please download the ComboFix from the links above and follow all instructions for running the tool:
"If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!"

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 midge63

midge63
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 05 August 2008 - 06:45 PM

Hi there!

Thanks so much for the quick response!

I have followed all your instructions and included the logs you requested.

Thanks again for your help.

Regards, Midge63.


ComboFix 08-08-04.09 - Sheryl Davis 2008-08-06 9:00:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT 10:00]
Running from: C:\Documents and Settings\Sheryl Davis\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Ekn71.sys
C:\WINDOWS\system32\eWebControl.dll
C:\WINDOWS\system32\ijmtmrh.dll
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EKN71
-------\Legacy_IPRIP
-------\Legacy_KCQBSBIO
-------\Legacy_TCPSR
-------\Service_Ekn71
-------\Service_Iprip
-------\Service_kcqbsbio


((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-06 07:44 . 2008-08-06 07:44 <DIR> d-------- C:\Documents and Settings\Sheryl Davis\Application Data\rtmiybkq
2008-08-05 16:02 . 2004-08-03 23:07 43,008 --a------ C:\WINDOWS\system32\drivers\amdagp.sys
2008-08-05 16:02 . 2004-08-03 23:07 43,008 --a--c--- C:\WINDOWS\system32\dllcache\amdagp.sys
2008-08-03 18:29 . 2008-08-06 09:19 1,095,712 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 18:29 . 2008-08-06 09:10 13,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-03 18:26 . 2008-08-03 18:26 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-08-03 18:22 . 2008-08-03 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-03 18:21 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-03 18:21 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-03 18:21 . 2008-08-03 18:26 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-03 18:19 . 2008-08-03 18:21 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-08-03 18:19 . 2008-08-03 18:19 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-03 18:19 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-08-03 18:18 . 2008-08-06 09:18 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-08-03 18:17 . 2008-08-06 09:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-03 14:37 . 2008-08-03 14:37 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-03 12:33 . 2008-08-03 12:35 <DIR> d-------- C:\Program Files\Emerald Hunt
2008-08-03 10:43 . 2008-08-03 10:43 <DIR> d-------- C:\Deckard
2008-08-03 00:54 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-03 00:44 . 2007-02-28 19:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-08-03 00:44 . 2007-02-28 19:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-03 00:44 . 2007-02-28 18:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-08-03 00:44 . 2007-02-28 18:38 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-08-03 00:42 . 2006-06-02 04:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-08-03 00:42 . 2006-06-02 04:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-08-03 00:23 . 2006-05-05 19:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-08-02 20:30 . 2008-08-02 20:30 71 --a------ C:\WINDOWS\8943439
2008-08-02 20:16 . 2008-08-02 20:16 69 --a------ C:\WINDOWS\894315c
2008-08-02 20:15 . 2008-08-02 20:15 71 --a------ C:\WINDOWS\8943183
2008-08-02 11:54 . 2008-08-02 11:54 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-02 11:54 . 2008-08-02 11:54 <DIR> d-------- C:\WINDOWS\Profiles
2008-08-02 11:54 . 2008-08-02 11:54 <DIR> d-------- C:\Documents and Settings\Sheryl Davis\Application Data\InterTrust
2008-08-02 11:53 . 2008-08-02 11:53 <DIR> d-------- C:\Program Files\Nodtronics
2008-08-02 11:53 . 2008-08-02 20:30 195 --a------ C:\WINDOWS\Typing.ini
2008-08-02 01:38 . 2008-08-02 17:30 519,651,328 --a------ C:\WINDOWS\MEMORY.DMP
2008-08-01 21:55 . 2006-06-14 18:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-08-01 21:55 . 2006-06-14 19:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-08-01 21:55 . 2006-06-14 18:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-08-01 16:36 . 2004-08-04 22:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-08-01 16:34 . 2004-08-04 22:00 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-08-01 16:33 . 2004-08-04 22:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-08-01 16:32 . 2004-08-04 22:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-01 16:31 . 2004-08-04 22:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-08-01 16:30 . 2004-08-04 22:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-01 16:29 . 2004-08-04 22:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-01 16:28 . 2004-08-04 22:00 369,664 --a--c--- C:\WINDOWS\system32\dllcache\asp51.dll
2008-08-01 16:27 . 2004-08-04 22:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-01 16:21 . 2004-08-04 22:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-01 16:00 . 2004-08-04 22:00 1,086,058 -ra------ C:\WINDOWS\SETA5.tmp
2008-08-01 16:00 . 2004-08-04 22:00 1,042,903 -ra------ C:\WINDOWS\SETA2.tmp
2008-08-01 10:11 . 2008-08-01 10:11 268 --ah----- C:\sqmdata03.sqm
2008-08-01 10:11 . 2008-08-01 10:11 244 --ah----- C:\sqmnoopt03.sqm
2008-08-01 08:32 . 2008-08-01 08:32 268 --ah----- C:\sqmdata02.sqm
2008-08-01 08:32 . 2008-08-01 08:32 244 --ah----- C:\sqmnoopt02.sqm
2008-07-31 23:33 . 2008-07-31 23:34 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq
2008-07-31 23:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-31 23:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-30 15:16 . 2008-07-30 15:16 215 --a------ C:\WINDOWS\Brpfx04a.ini
2008-07-26 10:20 . 2008-07-26 10:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-26 10:20 . 2008-07-26 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 12:37 . 2007-04-24 18:20 0 --a------ C:\WINDOWS\system32\Ultra.dll
2008-07-25 11:11 . 2008-07-25 12:53 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-24 21:11 . 2008-08-01 16:25 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-07-24 21:11 . 2008-08-01 16:25 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-20 09:51 . 2008-07-24 20:29 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-20 09:51 . 2008-07-24 20:29 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-20 09:51 . 2008-07-24 20:29 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-20 09:51 . 2008-07-24 20:28 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-20 09:11 . 2004-08-04 22:00 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2008-07-20 09:10 . 2004-08-04 22:00 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2008-07-20 09:10 . 2004-08-04 22:00 382,464 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-07-20 09:10 . 2006-08-21 19:14 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2008-07-20 09:10 . 2006-08-21 19:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-20 09:10 . 2004-08-04 22:00 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-07-20 09:10 . 2004-08-04 22:00 44,928 --a------ C:\WINDOWS\system32\drivers\agpcpq.sys
2008-07-20 09:10 . 2004-08-04 22:00 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys
2008-07-20 09:10 . 2004-08-04 22:00 42,752 --a------ C:\WINDOWS\system32\drivers\alim1541.sys
2008-07-20 09:10 . 2004-08-04 22:00 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2008-07-20 09:10 . 2004-08-04 09:07 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2008-07-20 09:04 . 2004-08-04 22:00 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2008-07-20 09:04 . 2004-08-04 22:00 140,800 --a--c--- C:\WINDOWS\system32\dllcache\sessmgr.exe
2008-07-20 09:04 . 2004-08-04 09:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-07-20 09:04 . 2004-08-04 22:00 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-07-20 09:04 . 2004-08-04 22:00 11,264 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2008-07-20 04:35 . 2008-04-14 10:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-07-20 04:28 . 2006-12-29 05:01 19,569 --a------ C:\WINDOWS\002898_.tmp
2008-07-20 01:11 . 2008-07-20 01:11 <DIR> d-------- C:\Program Files\Uniblue
2008-07-20 01:11 . 2008-07-20 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\rtmiybkq
2008-07-19 22:58 . 2004-08-04 22:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-07-19 22:58 . 2004-08-04 22:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-07-19 22:58 . 2004-08-04 22:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-07-19 22:58 . 2004-08-04 22:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-07-19 22:44 . 2004-08-04 22:00 1,086,058 -ra------ C:\WINDOWS\SETBD.tmp
2008-07-19 22:44 . 2004-08-04 22:00 1,042,903 -ra------ C:\WINDOWS\SETBA.tmp
2008-07-19 22:44 . 2004-08-04 22:00 13,753 -ra------ C:\WINDOWS\SETC9.tmp
2008-07-19 19:50 . 2008-08-03 03:08 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-07-19 18:08 . 2008-07-29 21:07 <DIR> d-------- C:\Program Files\RegCure
2008-07-19 17:02 . 2008-07-19 20:27 <DIR> d-------- C:\Program Files\ACW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 12:02 1,353,728 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-03 07:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-02 23:54 --------- d-----w C:\Program Files\RegCleaner
2008-08-02 22:44 --------- d-----w C:\Program Files\CCleaner
2008-08-01 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-30 06:25 --------- d-----w C:\Program Files\Google
2008-07-25 10:19 --------- d-----w C:\Program Files\iTunes
2008-07-25 05:48 --------- d-----w C:\Program Files\Trend Micro
2008-07-25 00:57 --------- d-----w C:\Program Files\Apple Software Update
2008-07-20 10:01 --------- d-----w C:\Program Files\iPod
2008-07-20 09:42 --------- d-----w C:\Program Files\QuickTime
2008-07-19 13:50 --------- d-----w C:\Program Files\OptusNet DSL Internet
2008-07-19 13:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-19 05:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-11 05:48 --------- d-----w C:\Documents and Settings\Sheryl Davis\Application Data\SolSuite
2008-06-25 10:41 --------- d-----w C:\Documents and Settings\Sheryl Davis\Application Data\Nokia Multimedia Player
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-06-25 02:23 1,390 ----a-w C:\Documents and Settings\Sheryl Davis\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"PCSuiteTrayApplication"="C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 17:42 933888]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"28658:TCP"= 28658:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"16159:TCP"= 16159:TCP:@xpsp2res.dll,-22009
"9710:TCP"= 9710:TCP:@xpsp2res.dll,-22009
"64809:TCP"= 64809:TCP:@xpsp2res.dll,-22009
"19069:TCP"= 19069:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 00:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 00:37]
S0 mucqchwe;mucqchwe;C:\WINDOWS\system32\drivers\mucqchwe.sys []
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 02:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 03:28]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys []
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-22 07:21]

2008-07-19 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-22 07:21]

2008-07-19 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []

2008-07-19 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 09:16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-06 9:26:20 - machine was rebooted [Sheryl Davis]
ComboFix-quarantined-files.txt 2008-08-05 23:25:56

Pre-Run: 22,068,858,880 bytes free
Post-Run: 22,003,335,168 bytes free

264 --- E O F --- 2008-08-03 09:00:05



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:20 AM, on 6/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217587281971
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6418 bytes

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:15 PM

Posted 06 August 2008 - 06:01 AM

Hello,

Optional:

I suggest removing the following program from you computer; however, decide for yourself.

ZoneAlarm Spy Blocker - Please read this to understand why this toolbar is not recommended.
Another good read for this: http://sunbeltblog.blogspot.com/2007/12/an...uccumbs-to.html

If you choose to uninstal; Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.

  • ZoneAlarmSB
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and Folders, "if present":

C:\Program Files\ZoneAlarmSB <- this folder

End of optional fix



Please go to the following url: http://www.bleepingcomputer.com/submit-malware.php?channel=4
  • "Link to topic where this file was requested:" - please insert the link to this topic in the text box
  • "Browse to the file you want to submit:" - please click on browse and navigate to:
    • C:\WINDOWS\system32\drivers\mucqchwe.sys
  • "Leave any comments, further information about this file, or contact information:" - please mention in the text box that Lusitano requested you to submit the file & insert the results from Jotti or virustotal obtained in the previous step
  • Click Submit


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\Sheryl Davis\Application Data\rtmiybkq
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq
File::
C:\WINDOWS\system32\drivers\mucqchwe.sys
Driver::
mucqchwe
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 midge63

midge63
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 07 August 2008 - 12:30 AM

Hi Lusitano.

I am trying to follow your latest instructions, but when it gets to finding the file mucqchwe in the system32\drivers file, I cannot see it anywhere !

Not sure what to do now.

However I have taken your advice and uninstalled the ZoneAlarm spyblocker.

Thanks very much.

Regards, midge63.

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:15 PM

Posted 07 August 2008 - 04:33 AM

Hi,

Please set your system to show all files.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
And try now. If failed, please skip this step.

Thanks :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 midge63

midge63
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 07 August 2008 - 06:23 AM

Hello again!

Still no luck finding that entry in system32\drivers, so I skipped that step and did the rest.

The combo-fix and HiJackThis logs follow.

Thank you Lusitano.


ComboFix 08-08-06.02 - Sheryl Davis 2008-08-07 20:44:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.160 [GMT 10:00]
Running from: C:\Documents and Settings\Sheryl Davis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sheryl Davis\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\mucqchwe.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\rtmiybkq
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\profiles.ini
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\cert8.db
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\compatibility.ini
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\compreg.dat
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\cookies.sqlite
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\formhistory.sqlite
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\key3.db
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\localstore.rdf
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\permissions.sqlite
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\places.sqlite-journal
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\places.sqlite
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\pluginreg.dat
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\prefs.js
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\secmod.db
C:\Documents and Settings\NetworkService\Application Data\rtmiybkq\Profiles\z8xfwr8z.default\xpti.dat
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\profiles.ini
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\cert8.db
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\compatibility.ini
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\compreg.dat
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\cookies.sqlite
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\formhistory.sqlite
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\key3.db
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\localstore.rdf
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\permissions.sqlite
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\places.sqlite-journal
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\places.sqlite
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\pluginreg.dat
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\prefs.js
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\secmod.db
C:\WINDOWS\system32\config\systemprofile\Application Data\rtmiybkq\Profiles\ll3qg8kx.default\xpti.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MUCQCHWE
-------\Service_mucqchwe


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-05 16:02 . 2004-08-03 23:07 43,008 --a------ C:\WINDOWS\system32\drivers\amdagp.sys
2008-08-05 16:02 . 2004-08-03 23:07 43,008 --a--c--- C:\WINDOWS\system32\dllcache\amdagp.sys
2008-08-03 18:29 . 2008-08-07 20:59 1,304,608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 18:29 . 2008-08-07 20:52 16,316 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-03 18:22 . 2008-08-03 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-03 18:21 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-03 18:21 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-03 18:21 . 2008-08-03 18:26 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-03 18:19 . 2008-08-03 18:21 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-08-03 18:19 . 2008-08-03 18:19 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-03 18:19 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-08-03 18:18 . 2008-08-07 20:56 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-08-03 18:17 . 2008-08-07 20:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-03 14:37 . 2008-08-03 14:37 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-03 12:33 . 2008-08-03 12:35 <DIR> d-------- C:\Program Files\Emerald Hunt
2008-08-03 00:54 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-03 00:44 . 2007-02-28 19:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-08-03 00:44 . 2007-02-28 19:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-03 00:44 . 2007-02-28 18:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-08-03 00:44 . 2007-02-28 18:38 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-08-03 00:42 . 2006-06-02 04:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-08-03 00:42 . 2006-06-02 04:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-08-03 00:23 . 2006-05-05 19:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-08-02 20:30 . 2008-08-02 20:30 71 --a------ C:\WINDOWS\8943439
2008-08-02 20:16 . 2008-08-06 12:26 71 --a------ C:\WINDOWS\894315c
2008-08-02 20:15 . 2008-08-02 20:15 71 --a------ C:\WINDOWS\8943183
2008-08-02 11:54 . 2008-08-02 11:54 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-02 11:54 . 2008-08-02 11:54 <DIR> d-------- C:\WINDOWS\Profiles
2008-08-02 11:53 . 2008-08-02 11:53 <DIR> d-------- C:\Program Files\Nodtronics
2008-08-02 11:53 . 2008-08-06 12:26 195 --a------ C:\WINDOWS\Typing.ini
2008-08-01 21:55 . 2006-06-14 18:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-08-01 21:55 . 2006-06-14 19:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-08-01 21:55 . 2006-06-14 18:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-08-01 16:36 . 2004-08-04 22:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-08-01 16:34 . 2004-08-04 22:00 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-08-01 16:33 . 2004-08-04 22:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-08-01 16:32 . 2004-08-04 22:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-01 16:31 . 2004-08-04 22:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-08-01 16:30 . 2004-08-04 22:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-01 16:29 . 2004-08-04 22:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-01 16:28 . 2004-08-04 22:00 369,664 --a--c--- C:\WINDOWS\system32\dllcache\asp51.dll
2008-08-01 16:27 . 2004-08-04 22:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-01 16:22 . 2008-08-01 16:22 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-01 16:21 . 2004-08-04 22:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-01 16:00 . 2004-08-04 22:00 1,086,058 -ra------ C:\WINDOWS\SETA5.tmp
2008-08-01 16:00 . 2004-08-04 22:00 1,042,903 -ra------ C:\WINDOWS\SETA2.tmp
2008-08-01 10:11 . 2008-08-01 10:11 268 --ah----- C:\sqmdata03.sqm
2008-08-01 10:11 . 2008-08-01 10:11 244 --ah----- C:\sqmnoopt03.sqm
2008-08-01 08:32 . 2008-08-01 08:32 268 --ah----- C:\sqmdata02.sqm
2008-08-01 08:32 . 2008-08-01 08:32 244 --ah----- C:\sqmnoopt02.sqm
2008-07-31 23:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-31 23:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-30 15:16 . 2008-07-30 15:16 215 --a------ C:\WINDOWS\Brpfx04a.ini
2008-07-26 10:20 . 2008-07-26 10:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-26 10:20 . 2008-07-26 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 12:37 . 2007-04-24 18:20 0 --a------ C:\WINDOWS\system32\Ultra.dll
2008-07-25 11:11 . 2008-07-25 12:53 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-24 21:11 . 2008-08-01 16:25 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-07-24 21:11 . 2008-08-01 16:25 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-20 09:51 . 2008-07-24 20:29 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-20 09:51 . 2008-07-24 20:29 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-20 09:51 . 2008-07-24 20:29 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-20 09:51 . 2008-07-24 20:28 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-20 09:11 . 2004-08-04 22:00 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2008-07-20 09:10 . 2004-08-04 22:00 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2008-07-20 09:10 . 2004-08-04 22:00 382,464 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-07-20 09:10 . 2006-08-21 19:14 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2008-07-20 09:10 . 2006-08-21 19:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-20 09:10 . 2004-08-04 22:00 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-07-20 09:10 . 2004-08-04 22:00 44,928 --a------ C:\WINDOWS\system32\drivers\agpcpq.sys
2008-07-20 09:10 . 2004-08-04 22:00 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys
2008-07-20 09:10 . 2004-08-04 22:00 42,752 --a------ C:\WINDOWS\system32\drivers\alim1541.sys
2008-07-20 09:10 . 2004-08-04 22:00 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2008-07-20 09:10 . 2004-08-04 09:07 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2008-07-20 09:04 . 2004-08-04 22:00 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2008-07-20 09:04 . 2004-08-04 22:00 140,800 --a--c--- C:\WINDOWS\system32\dllcache\sessmgr.exe
2008-07-20 09:04 . 2004-08-04 09:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-07-20 09:04 . 2004-08-04 22:00 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-07-20 09:04 . 2004-08-04 22:00 11,264 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2008-07-20 04:35 . 2008-04-14 10:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-07-20 04:28 . 2006-12-29 05:01 19,569 --a------ C:\WINDOWS\002898_.tmp
2008-07-20 01:11 . 2008-07-20 01:11 <DIR> d-------- C:\Program Files\Uniblue
2008-07-20 01:11 . 2008-07-20 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-07-19 22:58 . 2004-08-04 22:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-07-19 22:58 . 2004-08-04 22:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-07-19 22:58 . 2004-08-04 22:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-07-19 22:58 . 2004-08-04 22:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-07-19 22:44 . 2004-08-04 22:00 1,086,058 -ra------ C:\WINDOWS\SETBD.tmp
2008-07-19 22:44 . 2004-08-04 22:00 1,042,903 -ra------ C:\WINDOWS\SETBA.tmp
2008-07-19 22:44 . 2004-08-04 22:00 13,753 -ra------ C:\WINDOWS\SETC9.tmp
2008-07-19 19:50 . 2008-08-03 03:08 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-07-19 18:08 . 2008-07-29 21:07 <DIR> d-------- C:\Program Files\RegCure
2008-07-19 17:02 . 2008-07-19 20:27 <DIR> d-------- C:\Program Files\ACW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 12:02 1,353,728 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-03 07:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-02 23:54 --------- d-----w C:\Program Files\RegCleaner
2008-08-02 22:44 --------- d-----w C:\Program Files\CCleaner
2008-08-01 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-30 06:25 --------- d-----w C:\Program Files\Google
2008-07-25 10:19 --------- d-----w C:\Program Files\iTunes
2008-07-25 05:48 --------- d-----w C:\Program Files\Trend Micro
2008-07-25 00:57 --------- d-----w C:\Program Files\Apple Software Update
2008-07-20 10:01 --------- d-----w C:\Program Files\iPod
2008-07-20 09:42 --------- d-----w C:\Program Files\QuickTime
2008-07-19 13:50 --------- d-----w C:\Program Files\OptusNet DSL Internet
2008-07-19 13:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-19 05:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-11 05:48 --------- d-----w C:\Documents and Settings\Sheryl Davis\Application Data\SolSuite
2008-06-25 10:41 --------- d-----w C:\Documents and Settings\Sheryl Davis\Application Data\Nokia Multimedia Player
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-06-25 02:23 1,390 ----a-w C:\Documents and Settings\Sheryl Davis\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-06_ 9.24.07.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 10:55:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_268.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"PCSuiteTrayApplication"="C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 17:42 933888]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"28658:TCP"= 28658:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"16159:TCP"= 16159:TCP:@xpsp2res.dll,-22009
"9710:TCP"= 9710:TCP:@xpsp2res.dll,-22009
"64809:TCP"= 64809:TCP:@xpsp2res.dll,-22009
"19069:TCP"= 19069:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 00:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 00:37]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 02:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 03:28]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys []
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 22:00]
S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-08-07 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-22 07:21]

2008-07-19 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-22 07:21]

2008-07-19 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []

2008-07-19 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 20:56:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-07 21:07:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 11:06:46
ComboFix2.txt 2008-08-05 23:26:23

Pre-Run: 22,576,144,384 bytes free
Post-Run: 22,563,409,920 bytes free

280 --- E O F --- 2008-08-03 09:00:05



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:47 PM, on 7/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217587281971
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6121 bytes

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:15 PM

Posted 07 August 2008 - 07:45 AM

Hi,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Also please post a new HijackThis log and let me know how your computer its running now.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 midge63

midge63
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 07 August 2008 - 06:46 PM

Hi.

I hope this is starting to look better!

The latest logs follow.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:06 AM, on 8/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\javaws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Documents and Settings\Sheryl Davis\My Documents\Darc\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217587281971
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6514 bytes


Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2

8:52:42 AM 8/08/2008
mbam-log-8-8-2008 (08-52-42).txt

Scan type: Quick Scan
Objects scanned: 39095
Time elapsed: 12 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 midge63

midge63
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 07 August 2008 - 06:58 PM

By the way, I also meant to ask you why Mozilla is on my computer? The folder is in program files\common files , and no matter how I try, I can't remove it.

I have never downloaded or installed it before, and am wondering how it got there?

Sometimes the firefox.exe process is running on windows task manager, but not always.

Is it something to worry about?

Thanks Lusitano.

#11 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:15 PM

Posted 08 August 2008 - 07:36 AM

By the way, I also meant to ask you why Mozilla is on my computer?

Not anynmore, check the last HijackThis log please. ;)

Is it something to worry about?

Posted Image

Good job, yours logs are clean :thumbsup:

Please update your XP to SP3.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Posted Image


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Glad i was able to help and please let me know if you still need assistence.Posted Image
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 midge63

midge63
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ballarat, in the state of Victoria
  • Local time:05:15 AM

Posted 08 August 2008 - 08:18 PM

Hello there my friend!

I am currently in the process of installing all those extra programs you suggested, quite a lengthy business indeed!

However, I am sooooo very grateful for your expertise and help!

I am very happy with the outcome, and wish you great happiness in all that you do! :thumbsup:

Until we meet again, warmest regards.

Midge63.

#13 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:15 PM

Posted 11 August 2008 - 04:51 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users