Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe Application Error


  • This topic is locked This topic is locked
10 replies to this topic

#1 goat88

goat88

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 06 August 2008 - 10:32 PM

Hello,

A friend asked me to look at his computer for him. I figured I was just going to be doing the normal adaware, ccleaner, spybot type stuff.. Not so much- when I booted it up it said "userinit.exe - Application error The application faild to initialize properly (0xa0000005). Click on ok to terminate the application". No taskbar, blank screen, and all the other mess that comes along with this problem. I can, like many others, still access the task manager and can load up the desktop through it but it still very unstable. This issue is a bit over my head. I have seen and read many posts on this issue but I know each computer problem is different so I didnt want to attempt any of the many fixes before I consulted you guys.

I have scanned with norton, spybot s&d, lavasoft adaware, and ccleaner. Between all of those I found about 25 instances of viruses and an unimagional amount of spyware and such. I did run windows recovery with the windows cd afterwards and tried to expand a good userinit into system32 folder. No help. This thing is all kinds of messed up. Any help would be greatly appreciated. Thank you in advance.

I have read and downloaded the programs from your preparation guide. The only issue I have is that DSS only created a "main.txt" after the scan. Here it is. Let me know if there is anything else you need from me.

Deckard's System Scanner v20071014.68
Run by Cey Vargas on 2008-08-06 20:09:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Cey Vargas.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:28 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Cey Vargas\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CEYVAR~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "search200.com"); (C:\Documents and Settings\CEY VARGAS\Application Data\Mozilla\Profiles\default\4xpj8l4m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CEY VARGAS\Application Data\Mozilla\Profiles\default\4xpj8l4m.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8A290466-39BD-419B-93DB-0E9599506654} - C:\WINDOWS\system32\jkkHXNhe.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - (no file)
O2 - BHO: {f77715f1-2f4d-8af8-3144-bfd21b22e66d} - {d66e22b1-2dfb-4413-8fa8-d4f21f51777f} - C:\WINDOWS\system32\surqqflm.dll
O2 - BHO: gooochi browser optimizer - {f7c6917d-08b4-837c-9bed-1e8b0e8f88d3} - C:\WINDOWS\system32\{b342f3d6-83c3-8b14-0456-a85445dddbaa}.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O20 - AppInit_DLLs: surqqflm.dll
O20 - Winlogon Notify: jkkHXNhe - C:\WINDOWS\SYSTEM32\jkkHXNhe.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5542 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 20:02:34 0 d-------- C:\Program Files\Trend Micro
2008-08-06 19:40:27 237728 -r-hs---- C:\cmldr
2008-08-06 19:40:14 0 dr-hs---- C:\cmdcons
2008-08-06 19:34:36 0 d-------- C:\WINDOWS\setup.pss
2008-08-05 20:57:08 0 dr-h----- C:\Documents and Settings\Cey Vargas\Recent
2008-08-05 12:32:05 21504 --a------ C:\WINDOWS\system32\userinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-04 22:22:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 18:27:52 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-04 18:27:52 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-08-04 18:27:52 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-04 18:27:52 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-04 18:27:52 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-04 18:27:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-04 18:27:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-08-04 18:27:51 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-04 18:27:51 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-04 18:27:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-04 18:27:51 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-04 18:27:51 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-04 18:27:50 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-08-05 20:41:23 0 d-------- C:\Program Files\Common Files\Real
2008-08-05 20:40:56 0 d-a------ C:\Program Files\Common Files
2008-08-05 20:40:00 0 d-------- C:\Documents and Settings\Cey Vargas\Application Data\Real
2008-08-04 20:15:20 0 d-------- C:\Program Files\Symantec
2008-08-04 20:12:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-04 19:26:17 868765 --ahs---- C:\WINDOWS\system32\MTuEOqru.ini2
2008-07-04 17:19:39 101376 --a------ C:\WINDOWS\system32\qutumr.dll
2008-07-04 17:19:39 101376 --a------ C:\WINDOWS\system32\fjqlbwkh.dll
2008-06-28 08:30:06 94208 --a------ C:\WINDOWS\system32\edccfkbh.dll
2008-06-23 14:29:17 137728 --a------ C:\WINDOWS\system32\surqqflm.dll
2008-06-22 14:29:07 128512 --a------ C:\WINDOWS\system32\xvibhrjc.dll
2008-06-22 11:30:47 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-06-17 17:39:48 130560 --a------ C:\WINDOWS\system32\cfnplkxk.dll
2008-06-17 17:36:27 124416 --a------ C:\WINDOWS\system32\nolmmlfm.dll
2008-06-15 10:48:42 133632 --a------ C:\WINDOWS\system32\duulwfid.dll
2008-06-05 06:25:44 105472 --a------ C:\WINDOWS\system32\ndgoinnu.dll
2008-06-03 20:47:04 114688 --a------ C:\WINDOWS\system32\fmkitasl.dll
2008-06-02 20:44:29 114688 --a------ C:\WINDOWS\system32\mqurjgxa.dll
2008-06-02 17:33:23 114688 --a------ C:\WINDOWS\system32\qjpkswcy.dll
2008-06-01 11:14:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-01 10:51:25 104448 --a------ C:\WINDOWS\system32\lhraqjbr.dll
2008-06-01 09:17:19 104448 --a------ C:\WINDOWS\system32\kfjboffk.dll
2008-05-22 19:12:09 355 --a------ C:\622.bat
2008-05-21 20:48:10 28672 --a------ C:\WINDOWS\system32\cbXPfGxW.dll
2008-05-20 14:38:02 28672 --a------ C:\WINDOWS\system32\ljJYRKde.dll
2008-05-20 14:37:18 401963 --a------ C:\WINDOWS\system32\g99.exe
2008-05-20 09:43:23 28672 --a------ C:\WINDOWS\system32\hgGWoOfd.dll
2008-05-20 09:41:17 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-20 09:38:25 28672 --a------ C:\WINDOWS\system32\jkkHXNhe.dll


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-08-06 20:09:41 ------------

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:21 PM

Posted 06 August 2008 - 10:37 PM

Hello goat88

Welcome to BleepingComputer :thumbsup:
========================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\MTuEOqru.ini2
    C:\WINDOWS\system32\qutumr.dll
    C:\WINDOWS\system32\fjqlbwkh.dll
    C:\WINDOWS\system32\edccfkbh.dll
    C:\WINDOWS\system32\surqqflm.dll
    C:\WINDOWS\system32\xvibhrjc.dll
    C:\WINDOWS\system32\cfnplkxk.dll
    C:\WINDOWS\system32\nolmmlfm.dll
    C:\WINDOWS\system32\duulwfid.dll
    C:\WINDOWS\system32\ndgoinnu.dll
    C:\WINDOWS\system32\fmkitasl.dll
    C:\WINDOWS\system32\mqurjgxa.dll
    C:\WINDOWS\system32\qjpkswcy.dll
    C:\WINDOWS\system32\lhraqjbr.dll
    C:\WINDOWS\system32\kfjboffk.dll
    C:\622.bat
    C:\WINDOWS\system32\cbXPfGxW.dll
    C:\WINDOWS\system32\ljJYRKde.dll
    C:\WINDOWS\system32\g99.exe
    C:\WINDOWS\system32\hgGWoOfd.dll
    C:\WINDOWS\system32\jkkHXNhe.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 goat88

goat88
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 07 August 2008 - 01:11 AM

Kahdah that was awesome. The obvious issues seem to have gone away. Here are the logs you requested. Hijackthis still only created a 'main.txt' though.. hope that gives you all you need..

C:\WINDOWS\system32\MTuEOqru.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qutumr.dll
C:\WINDOWS\system32\qutumr.dll NOT unregistered.
C:\WINDOWS\system32\qutumr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fjqlbwkh.dll
C:\WINDOWS\system32\fjqlbwkh.dll NOT unregistered.
C:\WINDOWS\system32\fjqlbwkh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\edccfkbh.dll
C:\WINDOWS\system32\edccfkbh.dll NOT unregistered.
C:\WINDOWS\system32\edccfkbh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\surqqflm.dll
C:\WINDOWS\system32\surqqflm.dll NOT unregistered.
C:\WINDOWS\system32\surqqflm.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xvibhrjc.dll
C:\WINDOWS\system32\xvibhrjc.dll NOT unregistered.
C:\WINDOWS\system32\xvibhrjc.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\cfnplkxk.dll
C:\WINDOWS\system32\cfnplkxk.dll NOT unregistered.
C:\WINDOWS\system32\cfnplkxk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nolmmlfm.dll
C:\WINDOWS\system32\nolmmlfm.dll NOT unregistered.
C:\WINDOWS\system32\nolmmlfm.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\duulwfid.dll
C:\WINDOWS\system32\duulwfid.dll NOT unregistered.
C:\WINDOWS\system32\duulwfid.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ndgoinnu.dll
C:\WINDOWS\system32\ndgoinnu.dll NOT unregistered.
C:\WINDOWS\system32\ndgoinnu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fmkitasl.dll
C:\WINDOWS\system32\fmkitasl.dll NOT unregistered.
C:\WINDOWS\system32\fmkitasl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mqurjgxa.dll
C:\WINDOWS\system32\mqurjgxa.dll NOT unregistered.
C:\WINDOWS\system32\mqurjgxa.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qjpkswcy.dll
C:\WINDOWS\system32\qjpkswcy.dll NOT unregistered.
C:\WINDOWS\system32\qjpkswcy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lhraqjbr.dll
C:\WINDOWS\system32\lhraqjbr.dll NOT unregistered.
C:\WINDOWS\system32\lhraqjbr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kfjboffk.dll
C:\WINDOWS\system32\kfjboffk.dll NOT unregistered.
C:\WINDOWS\system32\kfjboffk.dll moved successfully.
C:\622.bat moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\cbXPfGxW.dll
C:\WINDOWS\system32\cbXPfGxW.dll NOT unregistered.
C:\WINDOWS\system32\cbXPfGxW.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ljJYRKde.dll
C:\WINDOWS\system32\ljJYRKde.dll NOT unregistered.
C:\WINDOWS\system32\ljJYRKde.dll moved successfully.
C:\WINDOWS\system32\g99.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGWoOfd.dll
C:\WINDOWS\system32\hgGWoOfd.dll NOT unregistered.
C:\WINDOWS\system32\hgGWoOfd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkHXNhe.dll
C:\WINDOWS\system32\jkkHXNhe.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkkHXNhe.dll scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08062008_223633






ComboFix 08-08-06.02 - Cey Vargas 2008-08-06 22:46:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.471 [GMT -7:00]
Running from: C:\Documents and Settings\Cey Vargas\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\dbar
C:\Program Files\dbar\basis.xml
C:\Program Files\dbar\channel.tmpl
C:\Program Files\dbar\content.tmpl
C:\Program Files\dbar\dbaruninst.exe
C:\Program Files\dbar\deskbar.crc
C:\Program Files\dbar\deskbar.inf
C:\Program Files\dbar\edit_rss.tmpl
C:\Program Files\dbar\local.xml
C:\Program Files\dbar\nav1.bmp
C:\Program Files\dbar\nav2.bmp
C:\Program Files\dbar\new_alert.tmpl
C:\Program Files\dbar\version.ini
C:\Program Files\dbar\version.txt
C:\Program Files\Dynamic Toolbar
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Svconr
C:\Program Files\Temporary
C:\Program Files\winvi
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js
C:\Program Files\winvi\dsktp\desktop.html
C:\Program Files\winvi\dsktp\internetDetection.swf
C:\Program Files\winvi\dsktp\settings.sol
C:\Program Files\winvi\icons\bufferthis.ico
C:\Program Files\winvi\icons\flashfunpages.ico
C:\Program Files\winvi\icons\funnies.ico
C:\Program Files\winvi\icons\funnyfunpages.ico
C:\Program Files\winvi\icons\goodcleanvideos.ico
C:\Program Files\winvi\icons\newfunpages.ico
C:\Program Files\winvi\icons\positivethoughts.ico
C:\Program Files\winvi\icons\removespyware.ico
C:\Program Files\winvi\icons\thissiterocks.ico
C:\Program Files\winvi\temp\version.ini
C:\Program Files\winvi\Uninst.exe
C:\Program Files\winvi\version.ini
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\BMef5f53ea.txt
C:\WINDOWS\BMef5f53ea.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adgdjqax.ini
C:\WINDOWS\system32\aofldoei.ini
C:\WINDOWS\system32\gymjcdtx.ini
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\jkkHXNhe.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlcdhxip.ini
C:\WINDOWS\system32\mnahgcpg.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\SYSTEM32\MTuEOqru.ini
C:\WINDOWS\system32\oavkubvu.ini
C:\WINDOWS\system32\omqjxqkg.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\pcwklhjx.ini
C:\WINDOWS\SYSTEM32\sfvmjdfn.ini
C:\WINDOWS\system32\skiuykpi.ini
C:\WINDOWS\system32\sympkxib.ini
C:\WINDOWS\system32\ufkidxdx.ini
C:\WINDOWS\system32\umofhybx.ini
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\utftednr.ini
C:\WINDOWS\system32\vabrwiuw.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wllbitnt.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 22:36 . 2008-08-06 22:36 <DIR> d-------- C:\_OTMoveIt
2008-08-06 20:02 . 2008-08-06 20:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 21:57 . 2008-08-05 21:57 <DIR> d-------- C:\Deckard
2008-08-05 12:32 . 2001-08-17 15:37 21,504 --a------ C:\WINDOWS\SYSTEM32\userinit.exe
2008-08-04 22:22 . 2008-08-04 22:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-04 22:22 . 2008-08-04 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 18:27 . 2002-09-03 14:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-04 18:27 . 2008-08-04 18:28 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 03:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-05 03:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-05 03:15 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-08-05 03:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-05 03:15 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-05 03:15 --------- d-----w C:\Program Files\Symantec
2008-08-05 03:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-05 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-31 00:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-31 00:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-31 00:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-06-22 18:30 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-06-13 21:45 579,464 ----a-w C:\WINDOWS\SYSTEM32\SymNeti.dll
2008-06-13 21:45 207,240 ----a-w C:\WINDOWS\SYSTEM32\SymRedir.dll
2008-06-13 21:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 21:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 21:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 21:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 21:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 21:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 21:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 21:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 21:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 21:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-01 16:22 2,538,084 --sha-w C:\WINDOWS\SYSTEM32\pcwklhjx.tmp
2008-05-20 21:37 63,902 ----a-w C:\WINDOWS\SYSTEM32\{b342f3d6-83c3-8b14-0456-a85445dddbaa}.dll-uninst.exe
2007-06-02 17:46 378 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb1942.dat
2007-06-02 17:41 49 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb41.dat
2007-06-02 17:29 177,152 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb4827.dat
2007-06-02 17:29 151 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb6366.dat
2007-06-02 17:29 13,046 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb5436.dat
2007-06-02 17:29 0 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb4604.dat
2006-11-18 23:14 0 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb2391.dat
2006-11-16 03:51 0 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb153.dat
2006-11-14 05:37 0 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb3902.dat
2006-11-14 05:37 0 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb1538.dat
2006-10-15 06:51 9,216 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb8467.dat
2006-10-15 06:51 0 ----a-w C:\Documents and Settings\Cey Vargas\Application Data\internaldb6334.dat
2006-10-09 21:10 69,384 -c--a-w C:\Documents and Settings\Cey Vargas\Application Data\GDIPFONTCACHEV1.DAT
2003-02-10 04:29 957,618 -c--a-w C:\Program Files\tmpgenc-2.02.31.119.zip
2002-12-31 18:48 276,736 -c--a-w C:\Program Files\keep-it.exe
2002-11-30 01:13 2,829,764 -c--a-w C:\Program Files\WinMPG_VideoConvert_setup.EXE
2002-11-13 17:33 1,038,848 -c--a-w C:\Program Files\WinMPG Video Convert.exe
2002-07-03 15:54 120,440 -c--a-w C:\Program Files\Setup.exe
2006-08-16 11:58 100,352 --sha-r C:\WINDOWS\SYSTEM32\6to4svc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=surqqflm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"msacm.l3acma"= L3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA4028]
command [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA8662]
command [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB1063]
command [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB9355]
command [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC4587]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC9659]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD4604]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6761]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-25 18:47 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
-ra------ 2007-06-11 13:04 190696 C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashUtil9d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Active Disk]
--a------ 2001-09-13 12:35 45056 C:\Program Files\Iomega\AutoDisk\AD2KClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--a------ 2001-09-12 12:35 61440 C:\Program Files\Iomega\DriveIcons\Imgicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
--a------ 2001-01-17 18:33 45056 C:\Program Files\Iomega\Common\IMGSTART.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 11:06 110592 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2004-08-04 00:56 158208 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 15:16 5058560 C:\WINDOWS\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-06 23:49 718704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-03-24 13:22 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"=
"C:\\StubInstaller.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 18:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 ebookman;FEP_USB Driver;C:\WINDOWS\system32\Drivers\ebookman.sys [2001-05-11 10:13]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 11:52]
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Cey Vargas.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d66e22b1-2dfb-4413-8fa8-d4f21f51777f} - C:\WINDOWS\system32\surqqflm.dll
BHO-{f7c6917d-08b4-837c-9bed-1e8b0e8f88d3} - C:\WINDOWS\system32\{b342f3d6-83c3-8b14-0456-a85445dddbaa}.dll
WebBrowser-{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - (no file)
MSConfigStartUp-BMef5f53ea - C:\WINDOWS\system32\edccfkbh.dll
MSConfigStartUp-ec6c6076 - C:\WINDOWS\system32\uvbukvao.dll
MSConfigStartUp-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe
MSConfigStartUp-{7a074523-3e87-7ac0-0959-229e546a64ce} - C:\WINDOWS\system32\{b342f3d6-83c3-8b14-0456-a85445dddbaa}.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 22:57:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\devldr32.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-08-06 23:03:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 06:03:11

Pre-Run: 15,689,654,272 bytes free
Post-Run: 15,717,322,752 bytes free

252 --- E O F --- 2008-05-17 03:31:36







Deckard's System Scanner v20071014.68
Run by Cey Vargas on 2008-08-06 23:09:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Cey Vargas.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:13 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Cey Vargas\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CEYVAR~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "search200.com"); (C:\Documents and Settings\CEY VARGAS\Application Data\Mozilla\Profiles\default\4xpj8l4m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CEY VARGAS\Application Data\Mozilla\Profiles\default\4xpj8l4m.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O20 - AppInit_DLLs: surqqflm.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5067 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 23:03:47 0 d-------- C:\WINDOWS\LastGood
2008-08-06 22:43:23 68096 --a------ C:\WINDOWS\zip.exe
2008-08-06 22:43:23 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-06 22:43:23 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-06 22:43:23 98816 --a------ C:\WINDOWS\sed.exe
2008-08-06 22:43:23 80412 --a------ C:\WINDOWS\grep.exe
2008-08-06 22:43:23 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-06 22:43:22 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-06 22:43:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-06 20:02:34 0 d-------- C:\Program Files\Trend Micro
2008-08-06 19:40:27 237728 -r-hs---- C:\cmldr
2008-08-06 19:40:14 0 dr-hs---- C:\cmdcons
2008-08-06 19:34:36 0 d-------- C:\WINDOWS\setup.pss
2008-08-05 20:57:08 0 dr-h----- C:\Documents and Settings\Cey Vargas\Recent
2008-08-05 12:32:05 21504 --a------ C:\WINDOWS\system32\userinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-04 22:22:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 18:27:52 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-04 18:27:52 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-08-04 18:27:52 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-04 18:27:52 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-04 18:27:52 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-04 18:27:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-04 18:27:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-08-04 18:27:51 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-04 18:27:51 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-04 18:27:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-04 18:27:51 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-04 18:27:51 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-04 18:27:50 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-08-06 22:51:16 0 d-a------ C:\Program Files\Common Files
2008-08-05 20:41:23 0 d-------- C:\Program Files\Common Files\Real
2008-08-05 20:40:00 0 d-------- C:\Documents and Settings\Cey Vargas\Application Data\Real
2008-08-04 20:15:20 0 d-------- C:\Program Files\Symantec
2008-08-04 20:12:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-22 11:30:47 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-06-01 11:14:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
05/26/2008 12:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 03:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=surqqflm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Active Disk]
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
C:\Program Files\Iomega\Common\ImgStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA4028]
command /c del "C:\Program Files\BearShare\Logs\memory.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA8662]
command /c del "C:\Program Files\BearShare\Logs\ordinal.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB1063]
command /c del "C:\Program Files\BearShare\Logs\ordinal.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB9355]
command /c del "C:\Program Files\BearShare\Logs\memory.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC4587]
cmd /c del "C:\Program Files\BearShare\Logs\memory.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC9659]
cmd /c del "C:\Program Files\BearShare\Logs\ordinal.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD4604]
cmd /c del "C:\Program Files\BearShare\Logs\memory.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6761]
cmd /c del "C:\Program Files\BearShare\Logs\ordinal.txt"




-- End of Deckard's System Scanner: finished at 2008-08-06 23:09:36 ------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:21 PM

Posted 07 August 2008 - 04:57 AM

Almost there :thumbsup:
==============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\pcwklhjx.tmp
C:\WINDOWS\SYSTEM32\{b342f3d6-83c3-8b14-0456-a85445dddbaa}.dll-uninst.exe
C:\Documents and Settings\Cey Vargas\Application Data\internaldb1942.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb41.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb4827.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb6366.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb5436.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb4604.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb2391.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb153.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb3902.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb1538.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb8467.dat
C:\Documents and Settings\Cey Vargas\Application Data\internaldb6334.dat
C:\WINDOWS\system32\surqqflm.dll 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA4028]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA8662]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB1063]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB9355]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC4587]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC9659]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD4604]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6761]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 goat88

goat88
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 07 August 2008 - 09:05 PM

Done. I upgraded to sp3 when prompted to on this comp last night. That made the combo fix log huge.. i broke it up into two txt files. I'll upload the one in this post and the other in one right after... sorry...

Deckard's System Scanner v20071014.68
Run by Cey Vargas on 2008-08-07 18:55:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Cey Vargas.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:20 PM, on 8/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cey Vargas\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CEYVAR~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "search200.com"); (C:\Documents and Settings\CEY VARGAS\Application Data\Mozilla\Profiles\default\4xpj8l4m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CEY VARGAS\Application Data\Mozilla\Profiles\default\4xpj8l4m.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218091294843
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5568 bytes

-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 18:33:53 0 d-------- C:\WINDOWS\LastGood
2008-08-07 03:21:34 0 d-------- C:\WINDOWS\Prefetch
2008-08-07 00:46:11 0 d-------- C:\WINDOWS\system32\scripting
2008-08-07 00:46:08 0 d-------- C:\WINDOWS\l2schemas
2008-08-07 00:46:07 0 d-------- C:\WINDOWS\system32\en
2008-08-06 23:21:56 0 d-------- C:\WINDOWS\network diagnostic
2008-08-06 22:43:23 68096 --a------ C:\WINDOWS\zip.exe
2008-08-06 22:43:23 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-06 22:43:23 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-06 22:43:23 98816 --a------ C:\WINDOWS\sed.exe
2008-08-06 22:43:23 80412 --a------ C:\WINDOWS\grep.exe
2008-08-06 22:43:23 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-06 22:43:22 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-06 22:43:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-06 20:02:34 0 d-------- C:\Program Files\Trend Micro
2008-08-06 19:40:27 237728 -r-hs---- C:\cmldr
2008-08-06 19:40:14 0 dr-hs---- C:\cmdcons
2008-08-06 19:34:36 0 d-------- C:\WINDOWS\setup.pss
2008-08-05 20:57:08 0 dr-h----- C:\Documents and Settings\Cey Vargas\Recent
2008-08-04 22:22:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 18:27:52 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-04 18:27:52 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-08-04 18:27:52 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-04 18:27:52 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-04 18:27:52 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-04 18:27:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-04 18:27:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-04 18:27:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-08-04 18:27:51 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-04 18:27:51 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-04 18:27:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-04 18:27:51 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-04 18:27:51 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-04 18:27:50 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-08-07 08:10:51 0 d-a------ C:\Program Files\Common Files
2008-08-07 00:46:46 0 d-------- C:\Program Files\Messenger
2008-08-07 00:46:06 0 d-------- C:\Program Files\Movie Maker
2008-08-07 00:40:21 0 d-------- C:\Program Files\Windows NT
2008-08-05 20:41:23 0 d-------- C:\Program Files\Common Files\Real
2008-08-05 20:40:00 0 d-------- C:\Documents and Settings\Cey Vargas\Application Data\Real
2008-08-04 20:15:20 0 d-------- C:\Program Files\Symantec
2008-08-04 20:12:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-22 11:30:47 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-06-01 11:14:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
05/26/2008 12:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 03:16 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 06:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 05:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Active Disk]
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
C:\Program Files\Iomega\Common\ImgStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-07 18:55:54 ------------

Attached Files



#6 goat88

goat88
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 07 August 2008 - 09:09 PM

...well actually it wont let me load the other part of it up... i guess ill just skip the rest of the snapshot and put the end of the log in here... if you do need the rest of that stuff let me know and we can work somethin else out i guess...


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"msacm.l3acma"= L3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-25 18:47 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
-ra------ 2007-06-11 13:04 190696 C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashUtil9d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Active Disk]
--a------ 2001-09-13 12:35 45056 C:\Program Files\Iomega\AutoDisk\AD2KClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--a------ 2001-09-12 12:35 61440 C:\Program Files\Iomega\DriveIcons\Imgicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
--a------ 2001-01-17 18:33 45056 C:\Program Files\Iomega\Common\IMGSTART.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 11:06 110592 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2008-04-13 17:12 169984 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 15:16 5058560 C:\WINDOWS\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-06 23:49 718704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-03-24 13:22 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 18:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 ebookman;FEP_USB Driver;C:\WINDOWS\system32\Drivers\ebookman.sys [2001-05-11 10:13]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 11:52]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Cey Vargas.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 08:11:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-07 8:13:48
ComboFix-quarantined-files.txt 2008-08-07 15:13:37
ComboFix2.txt 2008-08-07 06:03:19

Pre-Run: 16,280,027,136 bytes free
Post-Run: 16,357,232,640 bytes free

8702 --- E O F --- 2008-08-07 15:05:14

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:21 PM

Posted 08 August 2008 - 10:11 AM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 goat88

goat88
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 August 2008 - 02:17 PM

here it is...

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 8, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 08, 2008 17:30:42
Records in database: 1069833


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 83029
Threat name 51
Infected objects 93
Suspicious objects 0
Duration of the scan 01:35:40

File name Threat name Threats count
C:\Deckard\System Scanner\20080806200417\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a 1

C:\Documents and Settings\Cey Vargas\Shared\jealousey herm lewis.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkHXNhe.dll.vir Infected: Trojan.Win32.Monderb.bsu 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP947\A0131974.exe Infected: Trojan-Downloader.Win32.Homles.bl 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0131993.exe Infected: Trojan-Downloader.Win32.Homles.bl 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0132005.exe Infected: Trojan-Downloader.Win32.Homles.bl 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0132009.exe Infected: Trojan-Downloader.Win32.VB.enh 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0132011.exe Infected: Trojan-Downloader.Win32.Homles.bo 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0132015.dll Infected: not-a-virus:AdWare.Win32.BHO.cdk 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0132016.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP948\A0132031.exe Infected: Trojan-Downloader.Win32.Homles.bo 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0132081.exe Infected: Trojan.Win32.VB.dpc 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0132084.exe Infected: Trojan-Downloader.Win32.VB.epp 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0132086.exe Infected: Trojan-Downloader.Win32.Homles.bo 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133065.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133081.exe Infected: Trojan-Downloader.Win32.Homles.bo 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133085.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133086.exe Infected: not-a-virus:AdWare.Win32.Insider.c 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133087.exe Infected: not-a-virus:AdWare.Win32.TTC.d 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133089.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareExpert.h 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133090.exe Infected: not-a-virus:AdWare.Win32.Rond.f 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133091.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133092.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133093.exe Infected: Trojan.Win32.Agent.ay 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133094.dll Infected: not-a-virus:AdWare.Win32.BetterInternet 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133095.exe Infected: Trojan-Downloader.Win32.Stubby.c 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133096.exe Infected: not-a-virus:AdWare.Win32.BetterInternet 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133099.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133102.exe Infected: not-a-virus:AdWare.Win32.CommAd.a 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133103.exe Infected: not-a-virus:Monitor.Win32.NetMon.a 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133107.exe Infected: Trojan-Downloader.Win32.PurityScan.fj 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133108.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133110.exe Infected: Trojan.Win32.Dialer.k 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133112.exe Infected: Trojan-Spy.Win32.VB.aho 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133113.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133114.exe Infected: Trojan-Downloader.Win32.TSUpdate.n 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133115.exe Infected: Trojan-Downloader.Win32.TSUpdate.l 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133116.exe Infected: Trojan-Downloader.Win32.TSUpdate.r 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0133117.exe Infected: Trojan-Downloader.Win32.TSUpdate.f 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP949\A0135133.exe Infected: Trojan-Downloader.Win32.PurityScan.fj 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP950\A0135188.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP950\A0135189.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP950\A0137203.dll Infected: not-a-virus:AdWare.Win32.TTC.d 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP950\A0138208.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP950\A0138243.dll Infected: Trojan-Downloader.Win32.IstBar.pb 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP950\A0138245.dll Infected: not-a-virus:AdWare.Win32.Agent.byy 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP951\A0138254.exe Infected: Trojan.NSIS.StartPage.c 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP951\A0138257.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP951\A0138258.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP955\A0138453.dll Infected: not-a-virus:AdWare.Win32.Mostofate.t 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP955\A0138481.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP955\A0138482.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP955\A0138483.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP955\A0139920.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP955\A0139932.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP956\A0140997.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP956\A0141026.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP956\A0141054.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0141078.exe Infected: not-a-virus:AdWare.Win32.BHO.cdk 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0141080.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0141083.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0142095.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP959\A0142149.exe Infected: Trojan-Downloader.Win32.Agent.qqn 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP959\A0142150.exe Infected: Trojan-Downloader.Win32.Agent.pbq 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP963\A0147176.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.ce 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0147219.dll Infected: Trojan.Win32.Inject.cif 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0147220.dll Infected: Trojan.Win32.Inject.cif 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0156325.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0156326.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0160339.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0160341.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0160343.dll Infected: Trojan.Win32.Mondera.gen 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0161357.exe Infected: not-a-virus:AdWare.Win32.AdURL.c 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP967\A0163113.dll Infected: Trojan.Win32.Monderb.bsu 1

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP967\A0163198.EXE Infected: not-a-virus:AdWare.Win32.Alibabar.t 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\cbXPfGxW.dll Infected: Trojan.Win32.Monderb.aem 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\cfnplkxk.dll Infected: Trojan.Win32.Monder.ys 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\duulwfid.dll Infected: Trojan.Win32.Mondera.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\edccfkbh.dll Infected: Trojan.Win32.Monder.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\fjqlbwkh.dll Infected: Trojan.Win32.Monder.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\fmkitasl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bpu 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\g99.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\hgGWoOfd.dll Infected: Trojan.Win32.Monderb.bsu 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\kfjboffk.dll Infected: Trojan.Win32.Mondera.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\lhraqjbr.dll Infected: Trojan.Win32.Mondera.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\ljJYRKde.dll Infected: Trojan.Win32.Monderb.aem 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\mqurjgxa.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bpu 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\ndgoinnu.dll Infected: Trojan.Win32.Mondera.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\nolmmlfm.dll Infected: Trojan.Win32.Monder.yo 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\qjpkswcy.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bpu 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\qutumr.dll Infected: Trojan.Win32.Monder.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\surqqflm.dll Infected: Trojan.Win32.Mondera.gen 1

C:\_OTMoveIt\MovedFiles\08062008_223633\WINDOWS\system32\xvibhrjc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zjy 1

The selected area was scanned.

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:21 PM

Posted 08 August 2008 - 03:00 PM

Looks good all of those are in quarantine and in the System Restore Points and those will all be deleted shortly :)
===============
Please go to Start > My Computer > C:\Documents and Settings\Cey Vargas\Shared then delete this file > jealousey herm lewis.mp3

=====================================
After that

Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 goat88

goat88
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 August 2008 - 04:32 PM

AWESOME.. its working like a brand new computer.. Thank you very much for you help.. Anyone out there looking for help with this or any other problem- this is the place to be. Do what these guys tell you to do and youll be back up in no time.. I appreciate all you have done for me and i will continue to spread the work about this site...

Thanks again,

goat88

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:21 PM

Posted 08 August 2008 - 04:43 PM

You are welcome :thumbsup:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users