Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Is Not Clean (downloader.zlob!gen.3)


  • This topic is locked This topic is locked
8 replies to this topic

#1 germinals

germinals

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 06 August 2008 - 05:21 AM

Hi guys

Something attacked my computer recently and it was identified by my symantec to be a downloader.zlob!gen.3. I did a virus scan as well a scan with malwarebytes anti-malare and removed all detected items - some of which were called trojan vundos. The only problem is that whenever i open a IE window or click on a link in IE it goes to a page that says "Insecure Internet activity. Threat of virus attack" and a few randow pages pop up. Then whatever site i go to gets hijacked by a virus detection site.

here is my HiJackThis log, hope you guys can help:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:05 PM, on 6/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: QXK Olive - {36C52D2F-5D45-49DC-810E-2EAA0E1925A2} - C:\WINDOWS\wnlmdakqpbv.dll
O2 - BHO: {cf339d68-abff-a659-aa14-76d9669e2fe7} - {7ef2e966-9d67-41aa-956a-ffba86d933fc} - C:\WINDOWS\system32\vwfknh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213527241956
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213621137875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6174 bytes



thanks,

Rog.

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:42 PM

Posted 09 August 2008 - 02:21 PM

Hello germinals, and welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up.

Please take note of the following:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean.
  • If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • Please don't run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
  • If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:42 PM

Posted 09 August 2008 - 03:25 PM

Hello, germinals.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Step #1: SmitfraudFix
You likely have a Smitfraud variant; I need to gather some more information. Please follow these instructrions:
  • Please download SmitfraudFix (by S!Ri).
    Download SmitfraudFix (SmitfraudFix.exe)
  • Double-click SmitfraudFix.exe to run SmitfraudFix.
  • Select option #1 - Search by typing 1 and press Enter.
    • A text file will appear, which lists infected files (if present).
  • Please copy/paste the entire contents of that report into your next reply.

NOTE: ** Process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Look here for more details. **

Step #2: VundoFix
You may have a Vundo infection.
  • Please download VundoFix (by Atribune) to your Desktop.
    Download VundoFix (VundoFix.exe)
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it is done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files; click Yes.
    • Once you click Yes, your Desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer; click OK.
  • Turn your computer back on.
  • Please post the entire contents of C:\vundofix.txt in your next reply.

NOTE: ** It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. **

Step #3: Deckard's System Scanner (DSS)
We need to create a Deckard's System Scanner (DSS) log.

Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
(1) Download Deckard's System Scanner (dss.exe)
(2) Download Deckard's System Scanner (dss.exe)

DSS will do the following:

  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your Desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer Yes.
You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

To run the program:
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on dss.exe to run DSS, and follow the prompts.
  • If your antivirus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open in Notepad (if not, they both can be found in the C:\Deckard\System Scanner folder):
  • main.txt <- will be maximized
  • extra.txt <- will be minimized;
copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the entire contents of main.txt and the extra.txt in your next reply.
NOTES:
** When running DSS, some firewalls may warn that it is trying to access the Internet (especially if your asked to download the most current version of HijackThis); please ensure that DSS is given permission to access the Internet. **
** If you get a warning from your antivirus while DSS is scanning, please allow DSS to continue as the scan is not harmful. **



So in your next reply, please post the entire contents of:
  • SmitfraudFix's report
  • C:\vundofix.txt
  • DSS's main.txt log
  • DSS's extra.txt log
NOTE: Use several posts if necessary to include everything in the requested logs.

Edited by htv8, 09 August 2008 - 03:26 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 germinals

germinals
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 12 August 2008 - 06:20 PM

Hi htv8

Sorry about the late reply been busy with work. Here are the logs you requested (although vundofix did not detect anything so no log was produced)


Smitfraud:


SmitFraudFix v2.334

Scan done at 23:08:08.96, Mon 11/08/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Logitech\MouseWare\System\Em_exec.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: wnlmdakqpbv.dll
BHO: QXK Olive - {36C52D2F-5D45-49DC-810E-2EAA0E1925A2}
TypeLib: {759C4A95-AB06-4686-A140-012C8470BA1A}
Interface: {A236FA4C-A9C1-4B09-BB73-AFAE27A4AA15}
Interface: {D5F9F3BE-8F38-4C21-9316-28EF1E321950}


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 203.2.75.132
DNS Server Search Order: 198.142.0.51

HKLM\SYSTEM\CCS\Services\Tcpip\..\{952C8D11-D3C3-4798-8372-5AD4461E0387}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{952C8D11-D3C3-4798-8372-5AD4461E0387}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{952C8D11-D3C3-4798-8372-5AD4461E0387}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51


Scanning for wininet.dll infection


End



DSS Main:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-12 21:30:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
34: 2008-08-12 11:30:32 UTC - RP195 - Deckard's System Scanner Restore Point
33: 2008-08-12 03:15:35 UTC - RP194 - System Checkpoint
32: 2008-08-11 02:47:32 UTC - RP193 - System Checkpoint
31: 2008-08-10 02:15:34 UTC - RP192 - System Checkpoint
30: 2008-08-09 01:15:34 UTC - RP191 - System Checkpoint


-- First Restore Point --
1: 2008-08-05 23:35:42 UTC - RP162 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:14, on 12/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Logitech\MouseWare\System\Em_exec.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: QXK Olive - {36C52D2F-5D45-49DC-810E-2EAA0E1925A2} - C:\WINDOWS\wnlmdakqpbv.dll
O2 - BHO: {cf339d68-abff-a659-aa14-76d9669e2fe7} - {7ef2e966-9d67-41aa-956a-ffba86d933fc} - C:\WINDOWS\system32\vwfknh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213527241956
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213621137875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6325 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&3B1CAF2B&0&30F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&3B1CAF2B&0&30F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-12 17:00:00 448 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2008-08-12 07:01:41 362 --a------ C:\WINDOWS\Tasks\XoftSpySE.job
2008-08-09 20:47:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-11 23:10:39 0 d-------- C:\VundoFix Backups
2008-08-11 23:08:14 2096 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-06 14:00:20 0 d-------- C:\My Music
2008-08-06 14:00:12 5 --a------ C:\WINDOWS\system32\SySMACJ.dat
2008-08-06 09:36:40 120960 --a------ C:\WINDOWS\system32\vwfknh.dll
2008-08-06 09:36:35 120960 --a------ C:\WINDOWS\system32\gndxgbjw.dll
2008-08-06 09:36:31 99712 -----n--- C:\WINDOWS\system32\lhxmeebh.dll
2008-08-06 09:35:24 323328 -----n--- C:\WINDOWS\system32\iifdcAss.dll
2008-08-06 09:30:17 34176 -----n--- C:\WINDOWS\system32\ddcBRkjk.dll
2008-08-06 09:25:54 405504 --a------ C:\WINDOWS\wnlmdakqpbv.dll
2008-08-05 22:07:47 0 d-------- C:\Program Files\Apple Software Update
2008-08-05 22:06:48 0 d-------- C:\Program Files\iPod
2008-08-05 22:06:44 0 d-------- C:\Program Files\iTunes
2008-08-03 22:28:30 0 d-------- C:\Program Files\Image Grabber II


-- Find3M Report ---------------------------------------------------------------

2008-08-12 07:01:43 0 d-------- C:\Program Files\XoftSpySE
2008-08-11 01:18:10 0 d-------- C:\Program Files\SopCast
2008-08-08 15:12:32 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-06 09:41:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 20:48:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2008-07-16 20:18:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-10 08:33:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-07 20:49:45 0 d-------- C:\Program Files\Trend Micro
2008-06-26 21:46:08 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-06-26 21:45:58 0 d-------- C:\Program Files\DVDVideoSoft
2008-06-26 03:01:12 0 d-------- C:\Program Files\MSXML 4.0
2008-06-22 11:46:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-22 11:41:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-20 22:06:09 0 d-------- C:\Program Files\Hamachi
2008-06-20 09:07:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-18 13:28:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Alien Skin
2008-06-18 09:53:53 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-18 09:53:48 0 d-------- C:\Program Files\Common Files
2008-06-18 09:31:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Sports Interactive
2008-06-18 08:57:01 0 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2008-06-18 08:54:41 0 d--h----- C:\Program Files\Zero G Registry
2008-06-18 08:54:41 0 d-------- C:\Program Files\Sports Interactive
2008-06-17 21:45:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-06-17 21:44:16 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 21:44:06 0 d-------- C:\Program Files\Macromedia
2008-06-17 21:35:10 0 d-------- C:\Documents and Settings\Owner\Application Data\Nero
2008-06-17 21:33:33 0 d-------- C:\Program Files\Common Files\Nero
2008-06-17 21:30:29 0 d-------- C:\Program Files\Nero
2008-06-16 22:46:39 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-16 22:35:16 0 d-------- C:\Program Files\Windows Live
2008-06-16 22:34:59 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-16 22:31:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-06-16 22:29:45 0 d-------- C:\Program Files\Opera
2008-06-16 22:27:12 0 d-------- C:\Program Files\Bonjour
2008-06-16 22:27:05 0 d-------- C:\Program Files\QuickTime
2008-06-16 22:26:12 0 d-------- C:\Program Files\Common Files\Apple
2008-06-16 22:16:35 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-16 22:10:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-06-16 22:05:09 0 d-------- C:\Program Files\Winamp
2008-06-16 21:41:38 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2008-06-16 21:40:53 0 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2008-06-16 21:39:45 0 d-------- C:\Program Files\VideoLAN
2008-06-16 21:28:45 0 d-------- C:\Program Files\BitComet
2008-06-16 21:26:25 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-06-16 21:17:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 21:08:11 0 d-------- C:\Program Files\Symantec
2008-06-16 20:57:27 0 d-------- C:\Program Files\Alcohol Soft
2008-06-15 23:13:08 0 d-------- C:\Program Files\Messenger
2008-06-15 23:12:48 0 d-------- C:\Program Files\Movie Maker
2008-06-15 23:10:44 0 d-------- C:\Program Files\Windows NT
2008-06-15 20:28:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-15 20:24:33 0 d-------- C:\Program Files\Broadcom
2008-06-15 20:24:27 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-15 20:23:32 0 d-------- C:\Program Files\Logitech
2008-06-15 20:23:32 0 d-------- C:\Program Files\Common Files\Logitech
2008-06-15 20:22:23 0 d-------- C:\Program Files\Intel
2008-06-15 20:20:42 0 d-------- C:\Program Files\Analog Devices
2008-06-15 10:17:33 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-15 10:17:30 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-15 10:17:08 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2008-06-15 00:33:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2008-06-15 00:31:16 0 d-------- C:\Program Files\microsoft frontpage
2008-06-15 00:23:44 0 -rahs---- C:\MSDOS.SYS
2008-06-15 00:23:44 0 -rahs---- C:\IO.SYS
2008-06-15 00:23:44 0 --a------ C:\CONFIG.SYS
2008-06-15 00:23:44 0 --a------ C:\AUTOEXEC.BAT
2008-06-15 00:21:54 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-15 00:21:29 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-15 00:21:11 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-15 00:21:11 0 d-------- C:\Program Files\Online Services
2008-06-15 00:21:01 0 d-------- C:\Program Files\MSN Gaming Zone


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36C52D2F-5D45-49DC-810E-2EAA0E1925A2}]
06/08/2008 08:32 405504 --a------ C:\WINDOWS\wnlmdakqpbv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ef2e966-9d67-41aa-956a-ffba86d933fc}]
06/08/2008 09:36 120960 --a------ C:\WINDOWS\system32\vwfknh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2003 13:37]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2003 13:19]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/04/2005 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [17/04/2005 12:30]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10/07/2008 09:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/07/2008 10:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [17/06/2008 21:33]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/04/2008 10:12]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [01/03/2007 10:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01af2156-3b93-11dd-bb38-000f1f4f2e2d}]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f5da16c-3d97-11dd-bb3e-000f1f4f2e2d}]
AutoRun\command- E:\AutoTransfer.exe




-- End of Deckard's System Scanner: finished at 2008-08-12 21:32:09 ------------



DSS Extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1022 MiB / 560.37 MiB
Pagefile Memory (total/avail): 2460.38 MiB / 2113.78 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.36 MiB

C: is Fixed (NTFS) - 149 GiB total, 59.24 GiB free.
D: is CDROM (CDFS)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD1600JB-75GVA0 - 149.01 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROGE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\ROGE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Nero\Lib\;C:\Program Files\Common Files\Nero\Lib\;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=ROGE
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Football Manager 2008 --> "C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
Free Audio Dub version 1.4 --> "C:\Program Files\DVDVideoSoft\Free Audio Dub\unins000.exe"
Free Video to iPod Converter version 3.1 --> "C:\Program Files\DVDVideoSoft\Free Video to iPod Converter\unins000.exe"
Free YouTube to iPod Converter version 3.1 --> "C:\Program Files\DVDVideoSoft\Free YouTube to iPod Converter\unins000.exe"
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Image Grabber II --> "C:\Program Files\Image Grabber II\uninstall.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
iTunes --> MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
K-Lite Codec Pack 3.9.5 (Full) --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech MouseWare 9.77 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Nero 8 --> MsiExec.exe /X{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}
Opera 9.50 --> MsiExec.exe /X{7472B5B4-3FB7-446F-BC78-6BBA506EC473}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SopCast 3.0.3 --> C:\Program Files\SopCast\uninst.exe
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
Uninstall 1.0.0.1 --> "C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
VideoLAN VLC media player 0.8.6h --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR --> "C:\WINDOWS\WinRAR\uninstall.exe" "/U:C:\Program Files\WinRAR\Uninstall\uninstall.xml"
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2423 / Error
Event Submitted/Written: 08/11/2008 11:10:04 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: IEDefender in File: C:\Documents and Settings\Owner\Desktop\SmitfraudFix\404Fix.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access allowed. Action Description: The file was quarantined successfully.

Event Record #/Type2422 / Error
Event Submitted/Written: 08/11/2008 11:09:43 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: IEDefender in File: c:\WINDOWS\system32\iedfix.c.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Event Record #/Type2421 / Error
Event Submitted/Written: 08/11/2008 11:09:43 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: IEDefender in File: c:\WINDOWS\system32\404Fix.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Event Record #/Type2420 / Error
Event Submitted/Written: 08/11/2008 11:09:42 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: IEDefender in File: c:\WINDOWS\system32\IEDFix.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Event Record #/Type2419 / Error
Event Submitted/Written: 08/11/2008 11:09:42 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: IEDefender in File: c:\documents and settings\Owner\Desktop\smitfraudfix\IEDFix.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14849 / Error
Event Submitted/Written: 08/11/2008 09:14:50 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type14848 / Error
Event Submitted/Written: 08/11/2008 09:14:50 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type14847 / Error
Event Submitted/Written: 08/11/2008 09:14:50 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type14846 / Error
Event Submitted/Written: 08/11/2008 09:14:50 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type14842 / Warning
Event Submitted/Written: 08/11/2008 08:56:26 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-08-12 21:32:09 ------------



hope this helps, the problem is still occuring, thanks

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:42 PM

Posted 13 August 2008 - 01:01 PM

Hello again, germinals.

[...]

Sorry about the late reply been busy with work. [...]

No problem at all. :thumbsup:

[...]

hope this helps, the problem is still occuring, thanks

That's because we haven't fixed anything yet. Please continue to review my answers so we can fix the malware related problem(s) you are experiencing.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost. Some of the instructions will need to be carried out in Safe Mode where Internet access is not available, and thus you will be unable to access this thread at that time.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Step #1: XoftSpySE
You have XoftSpySE installed on your computer.

XoftSpy has been delisted from The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites, but since the program was on it I recommend to uninstall it and use programs from the trustworthy list which can be viewed on the same page. If you agree, uninstall the program as follows using Add or Remove Programs:

  • Click Start on the taskbar, then click on the Control Panel icon.
  • Double-click the Add or Remove Programs icon.
    • A list of programs installed will be "populated"; this may take a bit of time.
  • Uninstall XoftSpySE if it is listed by clicking on its entry and selecting the Remove (or Change/Remove) button.
Only if you uninstalled XoftSpySE by performing the instructions listed above, please delete the files and the folder listed below (if present) using My Computer or Windows Explorer (to get there, press Windows KEY + E):
C:\WINDOWS\Tasks\XoftSpySE.job
C:\WINDOWS\Tasks\XoftSpySE 2.job
C:\Program Files\XoftSpySE <-- this folder

Step #2: DAFT (Deckard's Association Fix Tool)
We need to fix altered file associations:
  • Make sure Deckard's System Scanner (dss.exe) is located on your Desktop.
  • Open a Run prompt by clicking Start > Run....
  • Copy and paste the entire contents of the CODE box below into the Open: field:
    "%userprofile%\Desktop\dss.exe" /daft
  • Click OK or press Enter on your keyboard.
  • You will be presented with 1 or 2 prompt(s). Accept each.
  • Click Scan at the bottom of the resulting window.
    • If DSS finds faulty file associations, they will appear in red next to a checkbox.
  • Check each item found by DSS.
  • Click the Fix button at the bottom of the window.
  • Rescan and save a log file (by default, it will save as daft.txt).
  • Close DSS /daft.
  • Copy and paste the entire contents of the saved log file (daft.txt) in your next reply.
Step #3: SmitfraudFix - Cleaning
We have to run SmitfraudFix using its cleaning option:
  • Please reboot your computer in Safe Mode by doing the following:
    • Restart your computer.
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
      • Instead of Windows loading as normal, a menu with options should appear.
    • Select the first option to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
  • Once in Safe Mode, double-click SmitfraudFix.exe to run SmitfraudFix.
  • Select option #2 - Clean by typing 2 and press Enter to delete infected files.
  • You will be prompted: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press Enter.
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear on-screen, with results from the cleaning process; please copy/paste the entire contents of that report into your next reply.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt.

WARNING: Running option #2 on a noninfected computer will remove your Desktop background.

Step #4: ComboFix
We need to run ComboFix.
  • Please visit this webpage for download links, and instructions for running the tool: How to use ComboFix.
  • Please ensure you read this guide carefully and install the Recovery Console first.
    • The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed.
  • Please continue as follows:
    • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
      ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
    • Click Yes to allow ComboFix to continue scanning for malware.
      NOTE: ** Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! **
    • When finished, ComboFix shall produce a log for you; post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again. Please read ComboFix's Disclaimer.




So in your next reply, please post the entire contents of:
  • daft.txt
  • rapport.txt (SmitfraudFix's report)
  • the produced ComboFix log
NOTE: Use several posts if necessary to include everything in the requested logs.

Edited by htv8, 13 August 2008 - 01:02 PM.
type

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 germinals

germinals
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 14 August 2008 - 06:57 PM

hi htv8

firstly, i uninstalled xoftspy but when i went into the tasks folder there were no scheduled xoftspy tasts there for me to delete.

Here are the logs in order:

Daft:

DAFT Log saved on 2008-08-15 09:12:01
-----------------------------------------------------------------------
All associations okay!


Rapport:

SmitFraudFix v2.334

Scan done at 9:18:09.46, Fri 15/08/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\wnlmdakqpbv.dll deleted.


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{952C8D11-D3C3-4798-8372-5AD4461E0387}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{952C8D11-D3C3-4798-8372-5AD4461E0387}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{952C8D11-D3C3-4798-8372-5AD4461E0387}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


ComboFix:

ComboFix 08-08-14.01 - Owner 2008-08-15 9:36:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.629 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies.\owner@adsfac[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@adtrgt[1].txt
C:\Documents and Settings\Owner\Cookies.\owner@clicktorrent[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@forum.ncixus[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@isohunt[1].txt
C:\Documents and Settings\Owner\Cookies.\owner@okcupid[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@secure.ncixus[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@stat.dealtime[1].txt
C:\Documents and Settings\Owner\Cookies.\owner@www.digitalhome.com[2].txt
C:\WINDOWS\BMb34fd91e.txt
C:\WINDOWS\system32\ddcBRkjk.dll
C:\WINDOWS\system32\gndxgbjw.dll
C:\WINDOWS\system32\iifdcAss.dll
C:\WINDOWS\system32\lhxmeebh.dll
C:\WINDOWS\system32\ssAcdfii.ini
C:\WINDOWS\system32\vwfknh.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-15 09:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-15 09:18 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-15 09:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-15 09:18 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-15 09:18 . 2008-08-09 15:37 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-15 09:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-15 09:17 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-15 09:17 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-15 09:17 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-12 21:30 . 2008-08-12 21:30 <DIR> d-------- C:\Deckard
2008-08-11 23:10 . 2008-08-11 23:10 <DIR> d-------- C:\VundoFix Backups
2008-08-11 23:08 . 2008-08-15 09:18 2,096 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-06 14:02 . 2008-08-06 14:02 135 --a------ C:\WINDOWS\Mp3ACutjoin.ini
2008-08-06 14:00 . 2008-08-06 14:00 <DIR> d-------- C:\My Music
2008-08-06 14:00 . 2008-08-06 14:02 5 --a------ C:\WINDOWS\system32\SySMACJ.dat
2008-08-06 09:25 . 2008-08-06 09:25 65,536 ---hs---- C:\Documents and Settings\Owner\MediaTubeCodec_ver1.1463.0.exe
2008-08-05 22:07 . 2008-08-05 22:07 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-05 22:06 . 2008-08-05 22:06 <DIR> d-------- C:\Program Files\iTunes
2008-08-05 22:06 . 2008-08-05 22:06 <DIR> d-------- C:\Program Files\iPod
2008-08-03 22:28 . 2008-08-03 22:28 <DIR> d-------- C:\Program Files\Image Grabber II

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 23:47 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-13 04:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-08-10 15:18 --------- d-----w C:\Program Files\SopCast
2008-08-05 23:41 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 10:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-09 23:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-09 22:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-09 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-07 10:49 --------- d-----w C:\Program Files\Trend Micro
2008-07-07 07:42 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-07 07:42 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 11:46 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-06-26 11:45 --------- d-----w C:\Program Files\DVDVideoSoft
2008-06-25 17:01 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-22 01:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-20 12:06 --------- d-----w C:\Program Files\Hamachi
2008-06-20 12:05 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 23:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-06-18 03:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Alien Skin
2008-06-17 23:53 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-17 23:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sports Interactive
2008-06-17 22:57 --------- d--h--r C:\Documents and Settings\Owner\Application Data\SecuROM
2008-06-17 22:54 --------- d--h--w C:\Program Files\Zero G Registry
2008-06-17 22:54 --------- d-----w C:\Program Files\Sports Interactive
2008-06-17 11:44 --------- d-----w C:\Program Files\Macromedia
2008-06-17 11:44 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-17 11:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nero
2008-06-17 11:33 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-17 11:30 --------- d-----w C:\Program Files\Nero
2008-06-17 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-16 12:46 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-16 12:35 --------- d-----w C:\Program Files\Windows Live
2008-06-16 12:34 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-16 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 12:29 --------- d-----w C:\Program Files\Opera
2008-06-16 12:27 --------- d-----w C:\Program Files\QuickTime
2008-06-16 12:27 --------- d-----w C:\Program Files\Bonjour
2008-06-16 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-16 12:26 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-16 12:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-16 12:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-16 12:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winamp
2008-06-16 12:05 --------- d-----w C:\Program Files\Winamp
2008-06-16 11:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-06-16 11:39 --------- d-----w C:\Program Files\VideoLAN
2008-06-16 11:28 --------- d-----w C:\Program Files\BitComet
2008-06-16 11:26 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-06-16 11:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-16 11:08 --------- d-----w C:\Program Files\Symantec
2008-06-16 11:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 10:57 --------- d-----w C:\Program Files\Alcohol Soft
2008-06-16 10:55 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-06-15 10:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-15 10:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-15 10:24 --------- d-----w C:\Program Files\Broadcom
2008-06-15 10:23 --------- d-----w C:\Program Files\Logitech
2008-06-15 10:23 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-15 10:22 --------- d-----w C:\Program Files\Intel
2008-06-15 10:20 --------- d-----w C:\Program Files\Analog Devices
2008-06-14 14:31 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-06-17 21:33 4608]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 10:12 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 13:37 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 13:19 118784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 10:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 10:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-02 04:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-26 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\Rz Stuff II\\BitComet_0.58\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8727:TCP"= 8727:TCP:BitComet 8727 TCP
"8727:UDP"= 8727:UDP:BitComet 8727 UDP

R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-26 09:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f5da16c-3d97-11dd-bb3e-000f1f4f2e2d}]
\Shell\AutoRun\command - E:\AutoTransfer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 09:48:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-15 9:53:29 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-14 23:53:26

Pre-Run: 62,829,727,744 bytes free
Post-Run: 62,793,953,280 bytes free

208 --- E O F --- 2008-07-12 14:16:31


thanks for your time and help!!

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:42 PM

Posted 15 August 2008 - 08:09 AM

Hello, germinals. We are making progress. :thumbsup:

OK, I see that Thunder has given you assistance here before.

Have you noticed any improvements yet?



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Step #1: ComboFix's CFScript
We need to re-run ComboFix with some additonal directives:
  • Close any open browsers/windows.
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
    ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
  • Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
    File::
    C:\Documents and Settings\Owner\MediaTubeCodec_ver1.1463.0.exe
    C:\WINDOWS\system32\VCCLSID.exe
    C:\WINDOWS\system32\VACFix.exe
    C:\WINDOWS\system32\IEDFix.exe
    C:\WINDOWS\system32\IEDFix.C.exe
    C:\WINDOWS\system32\404Fix.exe
    C:\WINDOWS\system32\WS2Fix.exe
    C:\WINDOWS\system32\SrchSTS.exe
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\system32\tmp.reg
    
    Folder::
    C:\VundoFix Backups
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Posted Image
    Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
    NOTE: ** Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! **
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.
Step #2: ATF Cleaner
We need to clean out some temporary data.

Please download ATF Cleaner by Atribune and save it to your Desktop.
Download ATF Cleaner

Perform a cleanup as follows:

  • Double-click ATF-Cleaner.exe to run the program.
  • Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.

If you use the Mozilla Firefox browser:

  • Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser:

  • Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click the Exit button on the Main menu to close the program.
For technical support, double-click the e-mail address located at the bottom of each menu.

NOTE: ** On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF Cleaner must be run as an administrator: right-click the ATF Cleaner.exe file and choose "Run as administrator". **

Step #3: Kaspersky WebScanner
Please do an online scan with Kaspersky Online Scanner:
  • Please visit the Kaspersky Online Scanner website.
    NOTE: ** If you are using Windows Vista, open your browser by right-clicking on its icon and select "Run as administrator" to perform this scan. **
  • Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer .This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report.
  • Now, click on the Save Report as button.
  • Change the "Files of Type" dropdown box to "Text Files".
  • Enter a memorable filename.
  • Save the file to your Desktop.
  • Copy and paste that information in your next post.
Step #4: HijackThis scan
Please scan with HijackThis and post a new HijackThis log.



So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • the Kaspersky Online Scanner report
  • the new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:42 PM

Posted 21 August 2008 - 08:44 AM

Still with us?
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:42 PM

Posted 23 August 2008 - 08:05 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users