Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clbdriver.sys


  • Please log in to reply
7 replies to this topic

#1 teedubbya

teedubbya

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 09 August 2008 - 01:49 AM

Original post from http://www.bleepingcomputer.com/forums/t/162156/virus-alert-in-strange-areas/

"I have "VIRUS ALERT!" showing up in strange areas (icon tray, system properties). I also have warnings of Windows not being genuine with offers to address the issue during system startup. Additional issues are inability to open task manager, install programs, view drives in windows explorer, and others.

After reading several threads here I managed to download SDFix and Malwarebytes.
SDFix did its job and gave me control of the PC again. However repeated runs of Malwarebytes' MBAM turns up the same VUNDO trojans.
I have turned off system restore and re-run MBAM a few times."

Per instructions received here are my 2 logs from HJT:

Deckard's System Scanner v20071014.68
Run by default on 2008-08-08 23:07:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-09 06:08:09 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-08 23:22:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\LxrJD31s.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\devldr32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\default\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {0D390ABD-055A-4419-BE25-74D2C866FEFC} - C:\WINDOWS\SYSTEM32\jkkJbxUn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O9 - Extra button: (no name) - CmdMapping - (file missing)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: ndwiat - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SYSTEM32\wiascr.dll
O20 - Winlogon Notify: ljJDSljh - C:\WINDOWS\system32\ljJDSljh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\iSafe.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\SYSTEM32\ImapiRox.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe


--
End of file - 3811 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,13
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,12


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys
R1 VETEFILE (VET File Scan Engine) - c:\windows\system32\drivers\vetefile.sys
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys
R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys
R2 FPMSNT - c:\windows\system32\drivers\fpmsnt.sys
R2 LxrJD31d - c:\windows\system32\drivers\lxrjd31d.sys
R2 Sdselect - c:\windows\system32\drivers\sdselect.sys
R3 VETEBOOT (VET Boot Scan Engine) - c:\windows\system32\drivers\veteboot.sys

S3 ADM8511 (Belkin USB Ethernet Adapter) - c:\windows\system32\drivers\net8511.sys
S3 catchme - c:\docume~1\default\locals~1\temp\catchme.sys (file missing)
S3 USBFVNETR (NETGEAR MA101 USB Adapter) - c:\windows\system32\drivers\ma101rnd.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LxrJD31s (Lexar JD31) - lxrjd31s.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_0930&PID_6534\5&30CAAFE0&0&2
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_0930&PID_6534\5&30CAAFE0&0&2
Service: USBSTOR


-- Scheduled Tasks -------------------------------------------------------------

2008-08-08 23:23:04 360 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
2008-08-08 01:08:24 368 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-03-01 14:00:02 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 01:21:25 537480 --ahs---- C:\WINDOWS\system32\nUxbJkkj.ini2
2008-08-08 00:12:46 0 d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-08-08 00:12:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 00:12:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 23:30:13 0 d-------- C:\WINDOWS\ERUNT
2008-08-07 22:21:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 22:14:44 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-08-07 22:14:44 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-07 22:14:44 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-08-07 22:14:44 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-07 22:14:44 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-07 22:14:43 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-07 22:14:43 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-07 22:14:43 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-07 22:14:42 1310720 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-08-01 06:05:25 0 d-------- C:\Documents and Settings\Ernestine Lopez\Application Data\Lavasoft
2008-08-01 04:59:45 0 d-------- C:\Documents and Settings\default\Application Data\Lavasoft
2008-07-27 06:48:41 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-27 06:02:41 10368 --a------ C:\WINDOWS\system32\drivers\omci.sys
2008-07-27 06:02:40 176128 -----n--- C:\WINDOWS\system32\RcdScan.dll
2008-07-27 06:02:40 446464 -r------- C:\WINDOWS\system32\hhactivex.dll
2008-07-13 16:00:15 3145728 --a------ C:\Documents and Settings\Ernestine Lopez\ntuser.dat
2008-07-12 18:55:48 0 d-------- C:\Documents and Settings\Ernestine Lopez\Application Data\TmpRecentIcons
2008-07-12 15:54:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 15:50:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 22:29:17 321792 -----n--- C:\WINDOWS\system32\jkkJbxUn.dll
2008-07-11 22:17:14 0 d-------- C:\Documents and Settings\default\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D390ABD-055A-4419-BE25-74D2C866FEFC}]
07/11/2008 10:29 PM 321792 --------- C:\WINDOWS\system32\jkkJbxUn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSljh]
ljJDSljh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkJbxUn

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Explosion Calendar Checker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk
backup=C:\WINDOWS\pss\Photo Explosion Calendar Checker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]
C:\Program Files\MemoryMeter\MemoryMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]
C:\WINDOWS\TVMD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"POINTER"=point32.exe
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CreativeMixer"=C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
"UpdReg"=C:\WINDOWS\Updreg.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LoadQM"=loadqm.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna



-- End of Deckard's System Scanner: finished at 2008-08-08 23:25:27 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1600MHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 255.01 MiB / 135.5 MiB
Pagefile Memory (total/avail): 618.53 MiB / 366.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.38 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.26 GiB total, 23.83 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L040AVER07-0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AV: Anti-Virus - SBC Yahoo! Online Protection v7.0.7.4 (Computer Associates) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Messenger"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YPAGER.EXE"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\default\Application Data
CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PACO2000
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\default
LOGONSERVER=\\PACO2000
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\default\LOCALS~1\Temp
TMP=C:\DOCUME~1\default\LOCALS~1\Temp
USERDOMAIN=PACO2000
USERNAME=default
USERPROFILE=C:\Documents and Settings\default
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

default (admin)
Ernestine Lopez (admin)
Robert Lopez (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT
--> "C:\Program Files\SBC Yahoo!\umuninst.exe" /S
--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Launcher\Launcher.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\PlayCenter\Player.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Recorder\Recorder.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Diagnose.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SBLiveXP.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Wstudio.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\mrun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~3\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~3\INSTALL.LOG
Adobe Acrobat 4.0, 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe PhotoDeluxe Home Edition 3.0 --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\PhotoDeluxe HE 3.0\DeIsL1.isu" -c"C:\Program Files\PhotoDeluxe HE 3.0\Uninst.dll"
Adobe Type Manager --> C:\PROGRAM FILES\ADOBE TYPE MANAGER\ATMFM.EXE -U
Art Explosion Greeting Card Factory --> MsiExec.exe /X{AE15D0F7-8C2E-4419-97B4-995ED16FBB4E}
Backup Dell-Installed Programs --> MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
Calendar Creator 7.0 Deluxe --> C:\PROGRA~1\CALEND~1.0DE\UNWISE.EXE C:\PROGRA~1\CALEND~1.0DE\INSTALL.LOG
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B0ED720-87D3-11D4-A188-0050DA2DDF19}\SETUP.EXE"
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Greeting Card Creator 32 --> C:\PROGRA~1\GREETI~1\UNWISE.EXE C:\PROGRA~1\GREETI~1\INSTALL.LOG
HijackThis 1.99.1 --> C:\DOCUME~1\default\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
HP DeskJet 950C Series (Remove only) --> C:\Program Files\HP DeskJet 950C Series\hpfiui.exe -c -vdivid=HPF -vpnum=94 -vinstport=LPT1: -vproduct=950C -huninstall
HP Photo and Imaging 1.0 - Scanjet 3500c Series --> MsiExec.exe /I{B8E952E3-A823-443A-8493-39A0CCE0E3EB}
HP PhotoSmart Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HP PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\HP PhotoSmart\Photo Printing\HpiUPPrn.dll
Image Expert 2000 v3.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sierra Imaging\Image Expert 2000\Uninst.isu" -c"C:\Program Files\Sierra Imaging\Image Expert 2000\uninstall.dll
Intel Ultra ATA Storage Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\setup.exe" -INTELUNINST
JD Secure 3.1 --> C:\WINDOWS\System32\JDSecure31.exe /u
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.5 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MA101 USB Adapter Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B46834CC-141E-11D5-A76F-0030AB007078}\SetUp.EXE"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Memory Stick / Floppy Disk Adaptor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C29E6280-0158-11D3-970C-005004053914}\setup.exe" Uninstall
MGI PhotoSuite 8.05 (Remove only) --> C:\WINDOWS\PSUNREG.EXE -f"C:\Program Files\MGI\PSUITE80\DeIsL1.isu"
Microsoft Bookshelf 1996-97 --> "C:\Program Files\Microsoft Reference\Bookshelf 96\Setup\setup.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2001 --> MsiExec.exe /I{01001202-5D65-445A-B3B4-3DCE72BA0C6C}
Microsoft IntelliPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABEA93FA-8D65-11D2-98AB-00C04F79C5D1}\setup.exe" Uninstall
Microsoft Money 2001 --> MsiExec.exe /I{D085A1B6-90A4-11D3-82B7-00C04FA309DE}
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Streets and Trips 2004 --> MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790210}
Microsoft Works 2001 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
Photo Explosion --> MsiExec.exe /X{5BC304B7-84B4-43B3-8A62-EB9BC2051544}
Pop-Up Stopper Free Edition --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Reader Rabbit 1 --> C:\WINDOWS\uninst.exe -fC:\tlcwin\rr1cdwin\uninstal\DeIsL1.isu
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
ResumeMaker --> C:\PROGRA~1\RESUME~1\UNWISE.EXE C:\PROGRA~1\RESUME~1\INSTALL.LOG
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
SBC Yahoo! Applications --> C:\PROGRA~1\YAHOO!\COMMON\uninstall.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\INSTALL.LOG
Sound Blaster Live! Value --> C:\Program Files\Creative\SBLive\PROGRAM\CTUNINST.EXE
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
The Family Doctor - PHA --> C:\WINDOWS\uninst.exe -fC:\FamdocPH\DeIsL1.isu
TrueSwitch Wizard SBC --> C:\Program Files\TrueSwitchSBC\TrueWizard.exe -uninstall
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Visual IP InSight(SBC) --> C:\Program Files\InstallShield Installation Information\{097346E0-6A51-11D1-AD16-00A0C95E0503}SBC\setup.exe SBC
Win32 BI Application --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\payload.inf, Uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type2127 / Error
Event Submitted/Written: 08/07/2008 09:52:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2123 / Error
Event Submitted/Written: 08/03/2008 05:41:16 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware2007.exe, version 7.0.2.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2122 / Error
Event Submitted/Written: 08/03/2008 05:41:16 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware2007.exe, version 7.0.2.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2118 / Error
Event Submitted/Written: 08/01/2008 05:33:36 AM / 08/01/2008 05:33:37 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application setup.exe, version 1.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2117 / Error
Event Submitted/Written: 08/01/2008 05:33:23 AM / 08/01/2008 05:33:25 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application setup.exe, version 1.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3221 / Error
Event Submitted/Written: 08/08/2008 10:51:50 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The VET Message Service service depends on the CAISafe service which failed to start because of the following error:
%%1058

Event Record #/Type3201 / Error
Event Submitted/Written: 08/08/2008 08:18:09 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The VET Message Service service depends on the CAISafe service which failed to start because of the following error:
%%1058

Event Record #/Type3178 / Error
Event Submitted/Written: 08/08/2008 01:18:52 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The VET Message Service service depends on the CAISafe service which failed to start because of the following error:
%%1058

Event Record #/Type3134 / Error
Event Submitted/Written: 08/08/2008 01:01:41 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The VET Message Service service depends on the CAISafe service which failed to start because of the following error:
%%1058

Event Record #/Type3133 / Error
Event Submitted/Written: 08/08/2008 01:01:40 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-08-08 23:25:27 ------------

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:07 PM

Posted 16 August 2008 - 08:07 AM

Hello teedubbya

Welcome to BleepingComputer :thumbsup:
========================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 teedubbya

teedubbya
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 16 August 2008 - 09:28 PM

Here are the logs from ComboFix and HJT. I did not install the recovery console yet.

ComboFix 08-08-15.04 - default 2008-08-16 18:09:57.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -7:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\default\Application Data\macromedia\Flash Player\#SharedObjects\F94U8GV9\interclick.com
C:\Documents and Settings\default\Application Data\macromedia\Flash Player\#SharedObjects\F94U8GV9\interclick.com\ud.sol
C:\Documents and Settings\default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\default\Cookies\default@yahoo[1].txt
C:\Documents and Settings\Robert Lopez\Cookies\robert lopez@ad.yieldmanager[1].txt
C:\Documents and Settings\Robert Lopez\Cookies\robert lopez@yahoo[2].txt
C:\Documents and Settings\Robert Lopez\Cookies\robert lopez@yahoo[4].txt
C:\WINDOWS\secure32.html
C:\WINDOWS\start.exe
C:\WINDOWS\system32\jkkJbxUn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nUxbJkkj.ini
C:\WINDOWS\SYSTEM32\nUxbJkkj.ini2
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-08 23:07 . 2008-08-08 23:07 <DIR> d-------- C:\Deckard
2008-08-08 00:12 . 2008-08-08 00:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 00:12 . 2008-08-08 00:12 <DIR> d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-08-08 00:12 . 2008-08-08 00:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-08 00:12 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-08 00:12 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-07 23:30 . 2008-08-07 23:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-07 23:24 . 2008-08-07 16:28 <DIR> d-------- C:\SDFix
2008-08-07 22:21 . 2008-08-07 22:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 22:14 . 2008-08-07 22:14 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-07 22:14 . 2006-12-23 11:37 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-08-07 21:49 . 2001-08-17 12:12 32,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Ngrpci.sys
2008-08-07 21:49 . 2001-08-17 12:12 32,840 --a------ C:\WINDOWS\SYSTEM32\dllcache\ngrpci.sys
2008-08-01 06:05 . 2008-08-01 06:05 <DIR> d-------- C:\Documents and Settings\Ernestine Lopez\Application Data\Lavasoft
2008-08-01 04:59 . 2008-08-01 04:59 <DIR> d-------- C:\Documents and Settings\default\Application Data\Lavasoft
2008-07-27 06:48 . 2008-07-27 06:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-07-27 06:02 . 1999-05-07 14:24 645,616 --------- C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
2008-07-27 06:02 . 2000-03-23 13:50 446,464 -r------- C:\WINDOWS\SYSTEM32\hhactivex.dll
2008-07-27 06:02 . 1999-05-07 14:24 414,944 --------- C:\WINDOWS\SYSTEM32\COMCT332.OCX
2008-07-27 06:02 . 1998-11-10 11:46 328,480 --------- C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2008-07-27 06:02 . 2001-08-23 11:53 176,128 --------- C:\WINDOWS\SYSTEM32\RcdScan.dll
2008-07-27 06:02 . 1998-09-24 13:03 171,967 --a------ C:\WINDOWS\SYSTEM32\Odbcjet.hlp
2008-07-27 06:02 . 2001-05-14 18:15 10,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys
2008-07-27 06:02 . 1998-09-24 13:03 7,348 --a------ C:\WINDOWS\SYSTEM32\Odbcjet.cnt
2008-07-27 05:36 . 2008-07-27 05:36 3 --a------ C:\WINDOWS\DATA.TCD
2008-07-27 05:36 . 2008-07-27 05:36 0 --a------ C:\WINDOWS\SYSTEM32\EULAckie.tcd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 01:55 --------- d-----w C:\Documents and Settings\Ernestine Lopez\Application Data\TmpRecentIcons
2008-07-12 22:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 22:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 15:06 8,096 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2006-12-23 18:39 0 ---ha-w C:\Program Files\hpothb07.dat
2006-12-23 18:38 0 ---ha-w C:\Program Files\hpothb07.tif
2006-12-23 18:37 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-12-23 18:37 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-12-03 16:17 0 ---ha-w C:\Documents and Settings\default\hpothb07.dat
2004-11-13 20:42 96,584 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2004-09-08 03:30 170 ---ha-w C:\Documents and Settings\Ernestine Lopez\hpothb07.dat
2000-10-13 23:56 271 --sh--w C:\Program Files\desktop.ini
2000-10-13 23:56 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 09:00 176183]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Explosion Calendar Checker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk
backup=C:\WINDOWS\pss\Photo Explosion Calendar Checker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2001-09-04 15:31 655360 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-06-08 14:45 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"POINTER"=point32.exe
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CreativeMixer"=C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
"UpdReg"=C:\WINDOWS\Updreg.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LoadQM"=loadqm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 FPMSNT;FPMSNT;C:\WINDOWS\system32\drivers\FPMSNT.sys [2000-06-06 15:47]
R2 Sdselect;Sdselect;C:\WINDOWS\system32\drivers\Sdselect.sys [2000-11-14 10:54]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 12:12]
S3 ADM8511;Belkin USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\NET8511.SYS [2000-12-11 20:06]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;C:\WINDOWS\system32\DRIVERS\ma101rnd.sys [2002-02-27 16:12]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2008-08-08 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
- - - - ORPHANS REMOVED - - - -

Notify-ljJDSljh - ljJDSljh.dll
MSConfigStartUp-Bargains - C:\Program Files\Bargain Buddy\bin\bargains.exe
MSConfigStartUp-MemoryMeter - C:\Program Files\MemoryMeter\MemoryMeter.exe
MSConfigStartUp-TVMD - C:\WINDOWS\TVMD.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\rxmtc4qb.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 18:21:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"SDImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\flpydisk.sys\00"
"SDImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"SDImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\flpydisk.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\flpydisk.sys\00"
"SDImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-08-16 18:25:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-17 01:24:34

Pre-Run: 25,470,304,256 bytes free
Post-Run: 25,589,547,008 bytes free

188 --- E O F --- 2008-06-20 12:49:38


Deckard's System Scanner v20071014.68
Run by default on 2008-08-16 19:20:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:05 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\default\Desktop\dss.exe
C:\DOCUME~1\default\Desktop\default.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 2533 bytes

-- Files created between 2008-07-16 and 2008-08-16 -----------------------------

2008-08-16 18:49:09 0 d-------- C:\WINDOWS\LastGood
2008-08-16 18:47:43 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-08-16 18:06:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-16 18:06:05 68096 --a------ C:\WINDOWS\zip.exe
2008-08-16 18:06:05 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-16 18:06:05 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-16 18:06:05 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-16 18:06:05 98816 --a------ C:\WINDOWS\sed.exe
2008-08-16 18:06:05 80412 --a------ C:\WINDOWS\grep.exe
2008-08-16 18:06:05 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-08 00:12:46 0 d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-08-08 00:12:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 00:12:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 23:30:13 0 d-------- C:\WINDOWS\ERUNT
2008-08-07 22:21:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 22:14:44 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-08-07 22:14:44 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-07 22:14:44 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-08-07 22:14:44 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-07 22:14:44 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-07 22:14:43 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-07 22:14:43 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-07 22:14:43 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-07 22:14:42 1310720 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-08-01 06:05:25 0 d-------- C:\Documents and Settings\Ernestine Lopez\Application Data\Lavasoft
2008-08-01 04:59:45 0 d-------- C:\Documents and Settings\default\Application Data\Lavasoft
2008-07-27 06:48:41 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-27 06:02:41 10368 --a------ C:\WINDOWS\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
2008-07-27 06:02:40 176128 -----n--- C:\WINDOWS\system32\RcdScan.dll <Not Verified; Dell Computer Corporation; RcdScan Module>
2008-07-27 06:02:40 446464 -r------- C:\WINDOWS\system32\hhactivex.dll <Not Verified; Blue Sky Software Corporation.; RoboHELP HTML 2000>


-- Find3M Report ---------------------------------------------------------------

2008-07-12 15:50:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Explosion Calendar Checker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk
backup=C:\WINDOWS\pss\Photo Explosion Calendar Checker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"POINTER"=point32.exe
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CreativeMixer"=C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
"UpdReg"=C:\WINDOWS\Updreg.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LoadQM"=loadqm.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna



-- End of Deckard's System Scanner: finished at 2008-08-16 19:23:04 ------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:07 PM

Posted 17 August 2008 - 12:02 AM

I did not install the recovery console yet.

That was one of the requirements of running Combofix.
======================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 teedubbya

teedubbya
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 17 August 2008 - 05:54 PM

Here is the Malwarebytes' log:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

3:52:43 PM 8/17/2008
mbam-log-08-17-2008 (15-52-43).txt

Scan type: Quick Scan
Objects scanned: 46085
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:07 PM

Posted 17 August 2008 - 06:14 PM

Hi I don't see any antivirus running.
If you do have one it is not showing in any of the logs so if you already have one then do not install another one.
===========================
Download ONE of these anti-virus programs and install it.
These are free.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir
============
After that post a new Hijackthis log or dss log and let me know if things are back to normal.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 teedubbya

teedubbya
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 18 August 2008 - 02:40 AM

Here is the DSS log. At this point it appears the system is back to normal. What do you advise?
A reply to my first post suggested many experts would never trust the system again. Is it safe to copy my data files to another system?

Deckard's System Scanner v20071014.68
Run by default on 2008-08-18 00:26:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:21 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\default\Desktop\dss.exe
C:\DOCUME~1\default\Desktop\default.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

--
End of file - 3044 bytes

-- Files created between 2008-07-18 and 2008-08-18 -----------------------------

2008-08-17 22:12:49 0 d--h----- C:\$AVG8.VAULT$
2008-08-17 21:45:26 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-17 21:45:25 0 d-------- C:\Documents and Settings\default\Application Data\AVGTOOLBAR
2008-08-17 21:45:16 0 d-------- C:\Program Files\AVG
2008-08-17 21:45:14 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-17 21:25:17 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-08-17 21:24:48 0 d-------- C:\Program Files\MSECACHE
2008-08-17 19:50:14 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-08-17 19:22:18 761856 --a------ C:\WINDOWS\system32\CDDBUIRoxio.dll <Not Verified; Gracenote; CDDBUIControl Module>
2008-08-17 19:22:18 589824 --a------ C:\WINDOWS\system32\CDDBControlRoxio.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2008-08-16 19:24:07 0 d-------- C:\WINDOWS\system32\LogFiles
2008-08-16 18:47:43 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-08-16 18:06:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-16 18:06:05 68096 --a------ C:\WINDOWS\zip.exe
2008-08-16 18:06:05 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-16 18:06:05 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-16 18:06:05 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-16 18:06:05 98816 --a------ C:\WINDOWS\sed.exe
2008-08-16 18:06:05 80412 --a------ C:\WINDOWS\grep.exe
2008-08-16 18:06:05 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-08 00:12:46 0 d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-08-08 00:12:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 00:12:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 23:30:13 0 d-------- C:\WINDOWS\ERUNT
2008-08-07 22:21:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 22:14:44 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-07 22:14:44 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-08-07 22:14:44 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-08-07 22:14:44 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-07 22:14:44 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-08-07 22:14:44 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-07 22:14:44 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-07 22:14:43 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-07 22:14:43 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-07 22:14:43 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-07 22:14:42 1232896 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-01 06:05:25 0 d-------- C:\Documents and Settings\Ernestine Lopez\Application Data\Lavasoft
2008-08-01 04:59:45 0 d-------- C:\Documents and Settings\default\Application Data\Lavasoft
2008-07-27 06:48:41 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-27 06:02:41 10368 --a------ C:\WINDOWS\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
2008-07-27 06:02:40 176128 -----n--- C:\WINDOWS\system32\RcdScan.dll <Not Verified; Dell Computer Corporation; RcdScan Module>
2008-07-27 06:02:40 446464 -r------- C:\WINDOWS\system32\hhactivex.dll <Not Verified; Blue Sky Software Corporation.; RoboHELP HTML 2000>


-- Find3M Report ---------------------------------------------------------------

2008-08-17 19:22:20 1044480 --a------ C:\WINDOWS\system32\Roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2008-08-17 19:22:18 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
08/17/2008 09:45 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [08/17/2008 09:45 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [08/17/2008 07:22 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/17/2008 09:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Explosion Calendar Checker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Explosion Calendar Checker.lnk
backup=C:\WINDOWS\pss\Photo Explosion Calendar Checker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"POINTER"=point32.exe
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CreativeMixer"=C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
"UpdReg"=C:\WINDOWS\Updreg.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LoadQM"=loadqm.exe

*Newly Created Service* - AVG8EMC
*Newly Created Service* - AVG8WD
*Newly Created Service* - AVGLDX86
*Newly Created Service* - AVGMFX86
*Newly Created Service* - AVGTDIX

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna



-- End of Deckard's System Scanner: finished at 2008-08-18 00:29:04 ------------

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:07 PM

Posted 18 August 2008 - 04:17 AM

A reply to my first post suggested many experts would never trust the system again. Is it safe to copy my data files to another system?

This would only be the case if you had backdoors on your system.
That was not true in this case.

It is now safe .
What you had was a spyware infection.
============================
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
==================
Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users