Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attempted Hijacking


  • This topic is locked This topic is locked
42 replies to this topic

#1 Warbirds

Warbirds

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 August 2008 - 02:46 PM

First timer here. I will greatfully appreciate your help. I've been experiencing attempted browser hijacks, popups, occasional disconnects from the internet.....basically your run of the mill computer problem. I've run AVG, AdAware, Spybot S & D, Spyware Blaster, and now present my HJT log:
John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:37 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\hphmon04.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {bc74cf76-cd85-9f59-19f4-24289b900720} - {027009b9-8242-4f91-95f9-58dc67fc47cb} - C:\WINNT\system32\jndepm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6BC03760-586E-4D52-9FCA-B4AC1415BF16} - C:\WINNT\system32\nnnKDvUO.dll (file missing)
O2 - BHO: (no name) - {74FE3124-C379-4E2D-9B3E-9E623AFD818C} - C:\WINNT\system32\hgGabBsp.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191240736671
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nnnKDvUO - nnnKDvUO.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

--
End of file - 8692 bytes

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:34 PM

Posted 19 August 2008 - 07:07 AM

Hello Warbirds, and welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up. Sorry for the delay in getting to you.

Please take note of the following:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • Please don't run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
  • If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
  • If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
  • Please reply to this thread. Do not start a new topic.
Reviewing your log(s) requires an amount of research, so please be patient. Thanks.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


You have two antivirus programs running simultaneously.
I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (real-time) protection switched on, then those products which do not encrypt the virus strings within them can cause other antivirus products to cause false alarms. It can also lead to a clash as both products fight for access to files which are opened again; this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
- False Alarms: When the antivirus software tells you that your PC has a virus when it actually doesn't.
- System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to Start > Control Panel > Add or Remove Programs and remove either anything related to Norton/Symantec or AVG8.

Personally I would uninstall anything related to Norton/Symantec as it is a huge resource hog. I had it once and will never run it on a system again. Norton slows your PC down dramatically and it takes up a lot of valuable disk space. Symantec places tremendous amounts of info on your computer and uses vast resources when running. AVG8 is free and reliable.

NOTE: If you decide to uninstall anything related to Norton/Symantec as suggested, make sure you download and run the Norton Removal Tool after uninstallation in order to completely remove all Norton products from your computer.
Download Norton Removal Tool

Step #1: Temporarily Disabling Spybot's TeaTimer
We need to temporarily disable Spybot - Search and Destroy's Tea Timer as it can interfere with the changes you will make on your system:
  • Launch Spybot - Search & Destroy, go to the Mode menu and make sure Advanced mode is selected.
  • On the left hand side, click on Tools, then click on the Resident icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of over-all system settings) active" box.
  • Click on the System Startup icon in the list.
  • Uncheck the "TeaTimer" box and OK any prompts.
  • If Teatimer gives you a warning that changes were made, click the Allow change box when prompted.
  • Exit/Close Spybot - S&D.
You can re-enable Spybot's TeaTimer once your system is clean by reversing these steps. I will let you know.

Step #2: ComboFix
We need to run ComboFix.
  • Please visit this webpage for download links, and instructions for running the tool: How to use ComboFix.
  • Please ensure you read this guide carefully and install the Recovery Console first.
    • The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed.
  • Please continue as follows:
    • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
      ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
    • Click Yes to allow ComboFix to continue scanning for malware.
      NOTE: ** Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! **
    • When finished, ComboFix shall produce a log for you; post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again. Please read ComboFix's Disclaimer.

Step #3: HijackThis - Install
Your log shows that you have run HijackThis without extracting it from the zip folder first. To ensure that backups made when items are fixed are secure, we need to get HijackThis set up properly.
  • Please delete all copies of HijackThis.zip or HijackThis.exe you have saved.
  • Please download the self-extracting version of HijackThis from here: Bleeping Computer Downloads: Trend Micro HijackThis 2.0.2 Installer.
  • Save HJTInstall.exe to your Desktop.
  • Double-click the .exe file, then click the Install button.
    • The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      A shortcut for future use will also be created on your Desktop and the intro frame of HijackThis will open.
  • Click Do a system scan and save a logfile.
  • Copy the entire contents of that log and post it here by clicking the ADD REPLY button.
Please use the shortcut to run the extracted HijackThis.exe from now on.

Step #4: HijackThis - Uninstall List
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
  • Open HijackThis.
  • Click Open the Misc Tools section. (If you don't see this button, click the Config... button and then the Misc Tools button on top to go to the Misc Tools section.)
  • Click on the Open Uninstall Manager... button.
    • You'll see a list of currently installed programs.
  • Click on the Save list... button and specify where you would like to save the uninstall list.
  • Click Save.This generates uninstall_list.txt, and Notepad will open up with the contents of that file.
  • Copy and paste the entire contents of that Notepad file in your next reply.

    More information with a screenshot can be found here.


So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • the new HijackThis log
  • the HijackThis uninstall list (uninstall_list.txt)
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 07:13 AM

Thanks, I have to leave for the morning, but I'll get on it this afternoon.

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:34 PM

Posted 19 August 2008 - 07:16 AM

Good. I'll be there when you get back. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 09:42 AM

Had to download the XP recovery console from MS. I did not open it, but as instructed dragged it to the top of the ComboFix icon. ComboFix opened but I saw no evidence of the XP recovery console, so I canceled the operation a few seconds later. I'm a little confused here.

#6 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 10:03 AM

Forget the confusion. I didn't read far enough.

#7 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 10:30 AM

My ComboFix log:


ComboFix 08-08-18.04 - Owner 2008-08-19 11:05:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.812 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\PPZN92J5\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\PPZN92J5\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\UserData
C:\Documents and Settings\Owner\UserData\6YKYF6OT\userDataXmlIsland[1].xml
C:\Documents and Settings\Owner\UserData\GDT09TOI\oXMLStoreUnit[1].xml
C:\Documents and Settings\Owner\UserData\GDT09TOI\YL[1].xml
C:\Documents and Settings\Owner\UserData\index.dat
C:\Documents and Settings\Owner\UserData\P4VC57C4\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\Owner\UserData\P4VC57C4\oXMLStoreUnit[1].xml
C:\Documents and Settings\Owner\UserData\W9QB4LEZ\dmtstore[2].xml
C:\WINNT\system32\nabytpsw.dll
C:\WINNT\system32\psBbaGgh.ini
C:\WINNT\system32\psBbaGgh.ini2
C:\WINNT\system32\tjgfpsek.dll
C:\WINNT\system32\wsptyban.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-15 07:57 . 2008-08-15 07:57 127 --a------ C:\WINNT\system32\MRT.INI
2008-08-14 15:40 . 2008-08-14 15:40 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-14 15:40 . 2008-08-14 15:40 1,409 --a------ C:\WINNT\QTFont.for
2008-08-14 07:47 . 2008-05-01 10:30 331,776 --------- C:\WINNT\system32\dllcache\msadce.dll
2008-08-10 11:38 . 2008-08-12 15:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:58 . 2008-08-12 15:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-07 08:11 . 2008-08-07 08:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 19:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-12 19:10 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-07 12:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-07 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 18:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINNT\system32\dllcache\es.dll
2008-07-06 19:01 --------- d-----w C:\Program Files\Picasa
2008-07-03 15:43 96,520 ----a-w C:\WINNT\system32\drivers\avgldx86.sys
2008-07-03 15:43 76,040 ----a-w C:\WINNT\system32\drivers\avgtdix.sys
2008-07-03 15:43 10,520 ----a-w C:\WINNT\system32\avgrsstx.dll
2008-07-01 19:49 --------- d-----w C:\Program Files\Picasa2
2008-07-01 19:11 --------- d-----w C:\Program Files\Google
2008-06-24 16:23 74,240 ----a-w C:\WINNT\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINNT\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINNT\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINNT\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\dllcache\bthport.sys
2008-06-04 20:35 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2008-06-04 20:34 0 ---ha-w C:\Program Files\Common Files\hpothb07.tif
2008-06-04 20:34 0 ---ha-w C:\Program Files\Common Files\hpothb07.dat
2008-06-04 20:29 317 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2008-06-04 20:14 400 ---ha-w C:\hpothb07.dat
2008-06-04 20:14 0 ---ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2008-06-04 20:07 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2008-06-04 20:07 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2007-09-30 22:01 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-09-30 22:01 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2006-04-11 15:08 0 -c-ha-w C:\Program Files\Common Files\MSN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-01-23 11:36 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-01-23 11:31 126976]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 19:04 53248]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 15:49 188416]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32 50688]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 01:23 90112]
"LWBMOUSE"="C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE" [2001-11-20 06:51 356352]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-28 16:54 282624]
"HPHmon04"="C:\WINNT\System32\hphmon04.exe" [2002-11-22 15:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 15:50 49152]
"Nero DriveSpeed"="C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE" [2005-10-31 02:58 602112]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 08:59 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-05-30 20:11:51 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-07-03 11:43]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 08:59]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 08:59]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-07-03 11:43]
.
Contents of the 'Scheduled Tasks' folder

2008-06-16 C:\WINNT\Tasks\Disk Cleanup.job
- C:\WINNT\system32\cleanmgr.exe [2004-08-04 03:56]

2008-08-19 C:\WINNT\Tasks\HP Usg Daily.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2008-08-19 C:\WINNT\Tasks\HP Usg Login.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 1.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 2.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 3.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{74FE3124-C379-4E2D-9B3E-9E623AFD818C} - C:\WINNT\system32\hgGabBsp.dll
Notify-nnnKDvUO - nnnKDvUO.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 11:16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-19 11:28:19 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-19 15:28:11

Pre-Run: 12,450,164,736 bytes free
Post-Run: 12,578,451,456 bytes free

187 --- E O F --- 2008-08-15 11:59:12

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:34 PM

Posted 19 August 2008 - 05:38 PM

Hello again, Warbirds.

WARNING - THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

We need to install the Recovery Console onto your system as your machine does not seem to have the Recovery Console installed. The Recovery Console is an important security and safety feature which you really do need to have installed.
You can install the Recovery Console regardless of whether or not you have the XP cd that came with the Operating System--I recommend you download the Recovery Console installation file from the Internet (it's only about 4 MB in size, so it shouldn't take too long to download). Please follow these instructions:
  • Click on the following link to go to Microsoft's website: http://support.microsoft.com/kb/310994
  • At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the Service Pack level that you have installed. (If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download.) When you click on the link to download the file, make sure you save it directly to your Desktop.
    If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information:
  • Click on the Start button.
  • Click on the Run... menu option.
  • Type the following in the Open: field: sysdm.cpl, then click on the OK button.A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.
[*] Once the Microsoft file has finished downloading, you should drag the setup package on top of the ComboFix icon and let your mouse button go. This is shown in the following image:
Posted Image
[*] Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.When complete, a log named CF_RC.txt will open.
[*] Please post the contents of that log in your next reply.
[/list]

When the Recovery Console is installed, please continue with Step #3: HijackThis - Install and Step #4: HijackThis - Uninstall List from my previous post, and post back here with the following results:
  • CF_RC.txt
  • the new HijackThis log
  • the HijackThis uninstall list (uninstall_list.txt)
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 08:33 PM

Ok.........finally figured out what to do. I was having problems with the download, etc. (Senior moment)

Here's a new ComboFix log:

ComboFix 08-08-18.05 - Owner 2008-08-19 21:49:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.796 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies\owner@contextweb[3].txt
C:\Documents and Settings\Owner\Cookies\owner@contextweb[5].txt
C:\Documents and Settings\Owner\Cookies\owner@contextweb[6].txt
C:\Documents and Settings\Owner\Cookies\owner@hits.gureport.co[4].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[6].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[7].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[8].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@my.clearchannelradio[2].txt
C:\Documents and Settings\Owner\Cookies\owner@my.clearchannelradio[3].txt
C:\Documents and Settings\Owner\Cookies\owner@nytimes[7].txt
C:\Documents and Settings\Owner\Cookies\owner@photobucket[3].txt
C:\Documents and Settings\Owner\Cookies\owner@reztrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@reztrack[4].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stage.agencytradingdesk[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stage.agencytradingdesk[3].txt
C:\Documents and Settings\Owner\Cookies\owner@t.ifilm[2].txt
C:\Documents and Settings\Owner\Cookies\owner@track.bestbuy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@wat.contextweb[1].txt
C:\Documents and Settings\Owner\Cookies\owner@wat.contextweb[2].txt
C:\Documents and Settings\Owner\Cookies\owner@wat.contextweb[3].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 13:56 . 2008-08-19 13:56 <DIR> d-------- C:\WINNT\LastGood
2008-08-15 07:57 . 2008-08-15 07:57 127 --a------ C:\WINNT\system32\MRT.INI
2008-08-14 15:40 . 2008-08-14 15:40 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-14 15:40 . 2008-08-14 15:40 1,409 --a------ C:\WINNT\QTFont.for
2008-08-14 07:47 . 2008-05-01 10:30 331,776 --------- C:\WINNT\system32\dllcache\msadce.dll
2008-08-10 11:38 . 2008-08-12 15:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:58 . 2008-08-19 13:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-07 08:11 . 2008-08-07 08:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 19:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-12 19:10 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-07 12:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-07 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 18:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINNT\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINNT\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINNT\system32\dllcache\es.dll
2008-07-06 19:01 --------- d-----w C:\Program Files\Picasa
2008-07-03 15:43 96,520 ----a-w C:\WINNT\system32\drivers\avgldx86.sys
2008-07-03 15:43 76,040 ----a-w C:\WINNT\system32\drivers\avgtdix.sys
2008-07-03 15:43 10,520 ----a-w C:\WINNT\system32\avgrsstx.dll
2008-07-01 19:49 --------- d-----w C:\Program Files\Picasa2
2008-07-01 19:11 --------- d-----w C:\Program Files\Google
2008-06-24 16:23 74,240 ----a-w C:\WINNT\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINNT\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINNT\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINNT\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\dllcache\bthport.sys
2008-06-04 20:35 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2008-06-04 20:34 0 ---ha-w C:\Program Files\Common Files\hpothb07.tif
2008-06-04 20:34 0 ---ha-w C:\Program Files\Common Files\hpothb07.dat
2008-06-04 20:29 317 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2008-06-04 20:14 400 ---ha-w C:\hpothb07.dat
2008-06-04 20:14 0 ---ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2008-06-04 20:07 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2008-06-04 20:07 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2007-09-30 22:01 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-09-30 22:01 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2006-04-11 15:08 0 -c-ha-w C:\Program Files\Common Files\MSN
.

((((((((((((((((((((((((((((( snapshot@2008-08-19_11.27.35.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-30 23:19:10 271,224 ----a-w C:\WINNT\LastGood\system32\mucltui.dll
+ 2007-07-30 23:18:34 207,736 ----a-w C:\WINNT\LastGood\system32\muweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-01-23 11:36 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-01-23 11:31 126976]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 19:04 53248]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 15:49 188416]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32 50688]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 01:23 90112]
"LWBMOUSE"="C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE" [2001-11-20 06:51 356352]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-28 16:54 282624]
"HPHmon04"="C:\WINNT\System32\hphmon04.exe" [2002-11-22 15:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 15:50 49152]
"Nero DriveSpeed"="C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE" [2005-10-31 02:58 602112]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 08:59 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-05-30 20:11:51 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-07-03 11:43]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 08:59]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 08:59]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-07-03 11:43]
.
Contents of the 'Scheduled Tasks' folder

2008-06-16 C:\WINNT\Tasks\Disk Cleanup.job
- C:\WINNT\system32\cleanmgr.exe [2004-08-04 03:56]

2008-08-19 C:\WINNT\Tasks\HP Usg Daily.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2008-08-19 C:\WINNT\Tasks\HP Usg Login.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 1.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 2.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 3.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 21:52:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-19 21:57:10
ComboFix-quarantined-files.txt 2008-08-20 01:56:06
ComboFix2.txt 2008-08-19 15:28:20

Pre-Run: 12,526,870,528 bytes free
Post-Run: 12,524,400,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

191 --- E O F --- 2008-08-15 11:59:12

Edited by Warbirds, 19 August 2008 - 09:01 PM.


#10 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 09:13 PM

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:40 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191240736671
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

--
End of file - 6655 bytes

#11 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 August 2008 - 09:17 PM

My HJT Uninstall list:

Ad-Aware
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 6.0
Ahead Nero BurnRights
AnswerWorks 4.0 Runtime - English
ArcSoft Panorama Maker 3
Audit Support Center 1.0
AVG Free 8.0
Belkin Mouse 1.0
DoMore
DVD
Gateway Drivers and Applications Recovery
Greeting Card Creator 32
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Memories Disc
HP Photo and Imaging 1.2 - Photosmart Cameras
HP Photo and Imaging 2.0 - Photosmart Printer Series
HP Photo and Imaging 2.2 - Scanjet 3970 Series
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Java 2 Runtime Environment, SE v1.4.2
KODAK Picture CD
KODAK Picture CD Volume 3 Issue 1
Learn2 Player (Uninstall Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Digital Image Pro 9
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Small Business
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MUSICMATCH® Jukebox
Nero OEM
Nikon Message Center
PC-Doctor for Windows
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picasa 2
PictureProject
PictureProject In Touch Downloader 1.0
Quicken 2004
QuickTime
RawShooter essentials 2006
Realtek AC'97 Audio
Roxio Burn Engine
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Shockwave
Smart Link 56K Modem
Spybot - Search & Destroy
SpywareBlaster 4.1
The Big Box of Art 350,000
TurboTax Deluxe 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:34 PM

Posted 20 August 2008 - 06:18 AM

Hello, Warbirds. We are making good progress. :thumbsup: Please continue to review my answers until I tell you your machine is clean.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Step #1 [Optional]: Viewpoint Uninstallation
You have Viewpoint installed on your computer.

Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This changed from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint.
I suggest removing it now. To do so:

  • Click Start on the taskbar, then click on the Control Panel icon.
  • Double-click the Add or Remove Programs icon.
    • A list of programs installed will be "populated"; this may take a bit of time.
  • Uninstall Viewpoint Media Player from Add or Remove Programs by clicking on its entry and selecting Remove (or Change/Remove).
Only if you uninstalled Viewpoint by performing the instructions listed above, please delete the following folder (if present) using My Computer or Windows Explorer (to get there, press Windows KEY + E):C:\Program Files\Viewpoint

Step #2: Updating Java SE Runtime Environment (JRE)
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your Desktop:
    • Go to http://java.sun.com/javase/downloads/index.jsp.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Review the License Agreement, and if you agree check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download the Windows Offline Installation and save the file to your Desktop.
  • Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
  • Go to Start > Control Panel, double-click Add or Remove Programs, and uninstall Java 2 Runtime Environment, SE v1.4.2 by clicking on its entry and selecting Remove (or Change/Remove) and following the on-screen instructions for the Java uninstaller.
  • Reboot your computer once all Java components are removed.
  • From your Desktop double-click the jre-6u7-windows-i586-p.exe file.
  • Follow the on-screen instructions to install the latest Java version.
Step #3: CFScript
We need to re-run ComboFix with some additional directives:
  • Close any open browsers/windows.
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
    ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
  • Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
    File::
    C:\WINNT\system32\jndepm.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{027009b9-8242-4f91-95f9-58dc67fc47cb}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BC03760-586E-4D52-9FCA-B4AC1415BF16}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Posted Image
    Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
    NOTE: ** Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! **
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.
Step #4: Malwarebytes' Anti-Malware (MbAM)
I would like you to run a scan with Malwarebytes' Anti-Malware.

Please download Malwarebytes' Anti-Malware (MbAM) from one of the links below and save it to your Desktop.
(1) Download Malwarebytes' Anti-Malware (mbam-setup.exe)
(2) Download Malwarebytes' Anti-Malware (mbam-setup.exe)
(3) Download Malwarebytes' Anti-Malware (mbam-setup.exe)

Once downloaded:

  • Make sure you are connected to the Internet.
  • Double-click mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to the default settings.
  • When installation has finished, make sure you leave both of these checked:
    • "Update Malwarebytes' Anti-Malware"
    • "Launch Malwarebytes' Anti-Malware";
    click Finish.
  • MbAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    NOTE: ** If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. **
  • On the Scanner tab, make sure the "Perform Quick Scan" option is selected; then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.<< The scan will begin and "Scan in progress..." will show at the top. It may take some time to complete, so please be patient. >>
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found."; click OK to close the message box and continue with the removal process.

  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer (see NOTE below).
    The log is automatically saved and can be viewed by clicking the Logs tab in MbAM.
  • Copy and paste the entire contents of that report in your next reply and exit MbAM.
NOTE: ** If MbAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MbAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MbAM from removing all the malware. **

Step #5: DirLook
I would like to see the contents of two directories.
  • Please download the attached file called ShowDirContents.bat and save to your Desktop.
    Attached File  ShowDirContents.bat   291bytes   33 downloads
  • Go to the Desktop and double-click ShowDirContents.bat to execute it.
    • Notepad will now open up with the results (some text and numbers).
  • Copy the entire contents of that text file (DirContents.txt) and post them here as a reply to this post.
Step #6: Jotti's malware/VirusTotal.com scan
We need to determine if a file is malware or not.
  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows.
  • Please go to Jotti: http://virusscan.jotti.org/.
  • When the Jotti page has finished loading, click the Browse... button at the top and navigate to the following file if it is present and click Submit:
    C:\WINNT\system32\MRT.INI
  • Please be patient as the file will be scanned.
  • Please post back the results of the scan in your next post.
NOTE: In case Jotti is busy, try the same at VirusTotal: http://www.virustotal.com/.

Step #7: HijackThis - Scan
Please scan with HijackThis again and post a new HijackThis log.



So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • MbAM's report
  • DirContents.txt (the ShowDirContents.bat execution results)
  • Jotti's/VirusTotal's scan report
  • the new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 20 August 2008 - 07:54 AM

This morning's new ComboFix log:


ComboFix 08-08-18.05 - Owner 2008-08-20 8:40:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.866 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINNT\system32\jndepm.dll
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-20 08:18 . 2008-08-20 08:18 <DIR> d-------- C:\Program Files\Sun
2008-08-20 08:18 . 2008-06-10 02:32 73,728 --a------ C:\WINNT\system32\javacpl.cpl
2008-08-20 08:10 . 2008-08-20 08:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-15 07:57 . 2008-08-15 07:57 127 --a------ C:\WINNT\system32\MRT.INI
2008-08-14 15:40 . 2008-08-14 15:40 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-14 15:40 . 2008-08-14 15:40 1,409 --a------ C:\WINNT\QTFont.for
2008-08-14 07:47 . 2008-05-01 10:30 331,776 --------- C:\WINNT\system32\dllcache\msadce.dll
2008-08-10 11:38 . 2008-08-12 15:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:58 . 2008-08-19 13:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-07 08:11 . 2008-08-07 08:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 12:18 --------- d-----w C:\Program Files\Java
2008-08-19 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 19:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-12 19:10 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-07 12:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-07 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 18:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINNT\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINNT\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINNT\system32\dllcache\es.dll
2008-07-06 19:01 --------- d-----w C:\Program Files\Picasa
2008-07-03 15:43 96,520 ----a-w C:\WINNT\system32\drivers\avgldx86.sys
2008-07-03 15:43 76,040 ----a-w C:\WINNT\system32\drivers\avgtdix.sys
2008-07-03 15:43 10,520 ----a-w C:\WINNT\system32\avgrsstx.dll
2008-07-01 19:49 --------- d-----w C:\Program Files\Picasa2
2008-07-01 19:11 --------- d-----w C:\Program Files\Google
2008-06-24 16:23 74,240 ----a-w C:\WINNT\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINNT\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINNT\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINNT\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\dllcache\bthport.sys
2008-06-04 20:35 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2008-06-04 20:34 0 ---ha-w C:\Program Files\Common Files\hpothb07.tif
2008-06-04 20:34 0 ---ha-w C:\Program Files\Common Files\hpothb07.dat
2008-06-04 20:29 317 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2008-06-04 20:14 400 ---ha-w C:\hpothb07.dat
2008-06-04 20:14 0 ---ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2008-06-04 20:07 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2008-06-04 20:07 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2007-09-30 22:01 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-09-30 22:01 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2006-04-11 15:08 0 -c-ha-w C:\Program Files\Common Files\MSN
.

((((((((((((((((((((((((((((( snapshot@2008-08-19_11.27.35.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-10-06 20:59:06 24,670 -c--a-w C:\WINNT\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINNT\system32\java.exe
- 2003-10-06 20:59:06 28,768 -c--a-w C:\WINNT\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINNT\system32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINNT\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-01-23 11:36 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-01-23 11:31 126976]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 19:04 53248]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 15:49 188416]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32 50688]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 01:23 90112]
"LWBMOUSE"="C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE" [2001-11-20 06:51 356352]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-28 16:54 282624]
"HPHmon04"="C:\WINNT\System32\hphmon04.exe" [2002-11-22 15:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 15:50 49152]
"Nero DriveSpeed"="C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE" [2005-10-31 02:58 602112]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 08:59 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-05-30 20:11:51 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-07-03 11:43]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 08:59]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 08:59]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-07-03 11:43]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-06-16 C:\WINNT\Tasks\Disk Cleanup.job
- C:\WINNT\system32\cleanmgr.exe [2004-08-04 03:56]

2008-08-20 C:\WINNT\Tasks\HP Usg Daily.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2008-08-20 C:\WINNT\Tasks\HP Usg Login.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 1.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 2.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2004-01-24 C:\WINNT\Tasks\ISP signup reminder 3.job
- C:\WINNT\System32\OOBE\oobebaln.exe [2004-08-04 03:56]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 08:47:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-20 8:52:38
ComboFix-quarantined-files.txt 2008-08-20 12:51:31
ComboFix2.txt 2008-08-20 01:57:11
ComboFix3.txt 2008-08-19 15:28:20

Pre-Run: 11,808,989,184 bytes free
Post-Run: 11,803,467,776 bytes free

165 --- E O F --- 2008-08-15 11:59:12

#14 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 20 August 2008 - 08:08 AM

Malawarebytes log:

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

9:04:42 AM 8/20/2008
mbam-log-08-20-2008 (09-04-42).txt

Scan type: Quick Scan
Objects scanned: 41216
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 Warbirds

Warbirds
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 20 August 2008 - 08:10 AM

DirContents log:

Volume in drive C has no label.
Volume Serial Number is 9802-C890

Directory of C:\Documents and Settings\All Users\Application Data\TEMP

08/12/2008 03:10 PM <DIR> .
08/12/2008 03:10 PM <DIR> ..
0 File(s) 0 bytes
Volume in drive C has no label.
Volume Serial Number is 9802-C890

Directory of C:\Program Files\Common Files

04/11/2006 11:08 AM 0 MSN
1 File(s) 0 bytes





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users