Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
9 replies to this topic

#1 high5apparatus

high5apparatus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 15 August 2008 - 01:58 PM

Any help is appreciated.

My installed McAffee did not stop it. If I try to update and scan with my resident McAffee, the program bombs out.

If I google/yahoo/other wise search engine Virtumonde, it directs me away from removal tools and forums.

Ad-Aware does not find it. It appears that Virtumonde stops Ad-Aware from updating itself. I installed Ad-Aware on a clean machine, updated it, and copied the program file folder to the infected machine. It ran, but did not find anything.

Spybot will run, find, and remove:
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-710067360-2670784768-3946440644-1113\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

and they come back.

McAfee AVERT Stinger did not find anything. I don't think it was doing what it should due to the virus.

Below is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:51 PM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070516
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070516
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [442bf5c2] rundll32.exe "C:\WINDOWS\system32\ufravkdi.dll",b
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "adam"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Fotki Desktop.lnk.disabled
O4 - Startup: MagicDisc.lnk.disabled
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: Desktop Application Director 9.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188506170916
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://gis.stpetersmo.net/new_search//ACGM/acgm.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lauer.local
O17 - HKLM\Software\..\Telephony: DomainName = lauer.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{78A405E6-ECA0-44E3-841C-1162F54B054A}: NameServer = 192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lauer.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{78A405E6-ECA0-44E3-841C-1162F54B054A}: NameServer = 192.168.0.2
O20 - AppInit_DLLs: cfduzm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9311 bytes

Thanks again.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:39 AM

Posted 15 August 2008 - 11:47 PM

Hello

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 high5apparatus

high5apparatus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 18 August 2008 - 08:30 AM

My computer is so hosed right now, it won't start up completely in regular mode, and it shuts itself down in safe mode w/ networking. I'm doing a system restore.

I hope you'll follow up to this reply with, "A system restore will completely fix your problem" instead of, "Virtumonde will live on after the restore.

I appreciate you taking the time to read through my original log file. 80gb jump drives are my savior... all my data lives on!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:39 AM

Posted 18 August 2008 - 03:05 PM

Yikes! :) Well if you get it back to a usable state, please go ahead and follow my original directions. I wish I could promise you that all will be well, but that likely won't be the reality of it. :) Please let me know how you come out, and postt hat report, if you can. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 high5apparatus

high5apparatus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 18 August 2008 - 04:22 PM

I got my system all built up and running well, and created a system restore point. So, I've run the combo fix and here's the log:

ComboFix 08-08-18.01 - adam 2008-08-18 16:13:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.581 [GMT -6:00]
Running from: C:\Documents and Settings\adam\My Documents\My Downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\adam\Application Data\inst.exe
C:\Documents and Settings\adam\Application Data\macromedia\Flash Player\#SharedObjects\DTSM4J48\interclick.com
C:\Documents and Settings\adam\Application Data\macromedia\Flash Player\#SharedObjects\DTSM4J48\interclick.com\ud.sol
C:\Documents and Settings\adam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\adam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\adam\UserData
C:\Documents and Settings\adam\UserData\89ABW9QZ\oWindowsUpdate[1].xml
C:\Documents and Settings\adam\UserData\index.dat
C:\Documents and Settings\administrator.LAUER\Cookies\administrator@mcafee[1].txt
C:\Documents and Settings\administrator.LAUER\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\administrator.LAUER\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\administrator.LAUER\UserData
C:\Documents and Settings\administrator.LAUER\UserData\GHIVKH63\oWindowsUpdate[1].xml
C:\Documents and Settings\administrator.LAUER\UserData\index.dat

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 16:00 . 2008-08-18 16:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-18 15:36 . 2008-08-18 15:36 <DIR> d-------- C:\Program Files\QuickTime
2008-08-18 15:36 . 2008-08-18 15:36 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 15:36 . 2008-08-18 15:36 <DIR> d-------- C:\Program Files\iPod
2008-08-18 13:41 . 2008-08-18 13:41 61,678 --a------ C:\WINDOWS\PFP90JPR.{PB
2008-08-18 13:41 . 2008-08-18 13:41 12,358 --a------ C:\WINDOWS\PFP90JCM.{PB
2008-08-18 13:09 . 2008-08-18 13:09 <DIR> d-------- C:\Program Files\Webroot
2008-08-18 13:09 . 2008-08-18 13:09 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2008-08-18 13:09 . 2008-08-18 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-18 13:09 . 2008-08-18 13:09 <DIR> d-------- C:\Documents and Settings\adam\Application Data\Webroot
2008-08-18 13:09 . 2007-11-26 14:47 194,888 --a------ C:\WINDOWS\Unwash6.exe
2008-08-18 13:04 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-18 13:04 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-18 12:56 . 2008-08-18 12:56 <DIR> d-------- C:\Program Files\Visicom Media
2008-08-18 12:56 . 2008-08-18 12:56 <DIR> d-------- C:\Program Files\CA VMN Anti-Spyware
2008-08-18 12:56 . 2008-08-18 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EmailNotifier
2008-08-18 12:56 . 2008-08-18 12:58 <DIR> d-------- C:\Documents and Settings\adam\Application Data\Sites
2008-08-18 12:56 . 2008-08-18 13:00 <DIR> d-------- C:\Documents and Settings\adam\Application Data\SiteClasses
2008-08-18 12:56 . 2008-08-18 12:56 <DIR> d-------- C:\Documents and Settings\adam\Application Data\EmailNotifier
2008-08-18 12:56 . 2008-08-18 12:56 <DIR> d-------- C:\Documents and Settings\adam\Application Data\Dynamic
2008-08-18 12:55 . 2008-08-18 12:55 <DIR> d-------- C:\Program Files\AWS
2008-08-18 12:55 . 2008-08-18 12:55 <DIR> d-------- C:\Documents and Settings\adam\Application Data\WeatherBug
2008-08-18 12:42 . 2004-11-08 20:01 360,504 --a------ C:\WINDOWS\system32\qtplugin.ocx
2008-08-18 12:42 . 2003-08-18 05:10 122,880 --a------ C:\WINDOWS\system32\directx.cpl
2008-08-18 12:42 . 2003-03-25 05:49 106,544 --a------ C:\WINDOWS\system32\tweakui.cpl
2008-08-18 12:42 . 2003-03-25 05:49 98,304 --a------ C:\WINDOWS\system32\startup.cpl
2008-08-18 12:42 . 2003-03-25 05:49 51,238 --a------ C:\WINDOWS\system32\tweakui.hlp
2008-08-18 12:41 . 2008-08-18 12:42 <DIR> d-------- C:\Program Files\ACE Mega CoDecS Pack
2008-08-18 12:28 . 2008-08-18 12:30 <DIR> d-------- C:\Program Files\Total Video Converter
2008-08-18 12:21 . 2008-08-18 12:21 <DIR> d-------- C:\Program Files\VSO
2008-08-18 12:21 . 2008-08-18 12:22 <DIR> d-------- C:\Documents and Settings\adam\Application Data\Vso
2008-08-18 12:21 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-08-18 12:21 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-08-18 12:21 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-08-18 12:21 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-08-18 12:21 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-08-18 12:21 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-08-18 12:21 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-08-18 12:21 . 2008-08-18 12:21 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-18 12:21 . 2008-08-18 12:21 47,360 --a------ C:\Documents and Settings\adam\Application Data\pcouffin.sys
2008-08-18 12:15 . 2008-08-18 12:15 2,986,038 --a------ C:\WINDOWS\ACD Wallpaper.cmp
2008-08-18 12:09 . 2008-08-18 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-08-18 12:09 . 2008-08-18 12:10 <DIR> d-------- C:\Documents and Settings\adam\Application Data\ACD Systems
2008-08-18 12:07 . 2008-08-18 12:09 <DIR> d-------- C:\Program Files\ACD Systems
2008-08-18 11:52 . 2008-08-18 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-18 11:50 . 2006-10-04 08:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-18 11:50 . 2006-10-04 08:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-18 11:50 . 2006-10-04 08:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-08-18 11:49 . 2008-08-18 11:49 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-18 11:48 . 2008-08-18 11:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-18 11:48 . 2008-08-18 11:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-18 11:48 . 2008-08-18 11:48 <DIR> d-------- C:\5d8c77a24dc32e58dfdace5958ee
2008-08-18 11:48 . 2008-08-18 11:49 <DIR> d-------- C:\0455f2f016e67e83dd91cf36d6
2008-08-18 11:45 . 2008-08-18 11:45 <DIR> d-------- C:\Program Files\NoteTab Light
2008-08-18 11:45 . 2008-08-18 11:45 <DIR> d-------- C:\Documents and Settings\adam\Application Data\NoteTab Light
2008-08-18 11:39 . 2008-08-18 11:39 <DIR> d-------- C:\Program Files\Appraisal Management
2008-08-18 11:38 . 2002-08-29 05:00 20,480 --a------ C:\WINDOWS\system32\DBMSADSN.DLL
2008-08-18 11:38 . 2008-08-18 11:38 1,903 --a------ C:\WINDOWS\SETUP.LST.tmp
2008-08-18 11:37 . 2008-08-18 11:38 1,388,544 --------- C:\WINDOWS\msvbvm60.dll
2008-08-18 11:37 . 2008-08-18 11:38 327,680 --------- C:\WINDOWS\Setup1.exe
2008-08-18 11:37 . 2008-08-18 11:38 151,622 --------- C:\WINDOWS\modcas.dll
2008-08-18 11:37 . 2008-08-18 11:38 101,888 --------- C:\WINDOWS\odestkit.dll
2008-08-18 11:37 . 2008-08-18 11:38 73,216 --a------ C:\WINDOWS\ODEUNST.EXE
2008-08-18 11:37 . 2008-08-18 11:37 542 --a------ C:\WINDOWS\ODEUNST.000
2008-08-18 11:29 . 2008-08-18 11:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-18 11:24 . 2008-08-18 11:24 <DIR> d-------- C:\Documents and Settings\adam\Application Data\Apple Computer
2008-08-18 11:23 . 2008-08-18 11:23 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 11:23 . 2008-08-18 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-18 11:22 . 2008-08-18 11:22 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-18 11:22 . 2008-08-18 11:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-18 11:22 . 2008-08-18 11:22 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 11:22 . 2008-08-18 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-18 11:16 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-18 11:16 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-18 11:13 . 2008-05-01 08:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-18 11:12 . 2008-08-18 11:13 <DIR> d-------- C:\MetroScn
2008-08-18 11:09 . 1993-07-23 00:00 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-08-18 11:09 . 2001-03-15 06:55 101,200 --a------ C:\WINDOWS\system32\pdfshell.dll
2008-08-18 11:09 . 2001-03-15 07:18 65,536 --a------ C:\WINDOWS\system32\adistres.dll
2008-08-18 11:09 . 2001-03-15 07:18 20,584 --a------ C:\WINDOWS\system32\PdfPorts.dll
2008-08-18 11:08 . 2008-08-18 15:44 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-18 11:08 . 2008-08-18 11:08 <DIR> d-------- C:\Documents and Settings\adam\Application Data\InterTrust
2008-08-18 10:26 . 2008-08-18 10:26 376 --a------ C:\WINDOWS\ODBC.INI
2008-08-18 10:25 . 2008-08-18 10:25 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-18 10:20 . 2008-08-18 10:20 <DIR> d-------- C:\temp\100CANON
2008-08-18 10:19 . 2008-08-18 10:19 <DIR> d-------- C:\temp\BeauxArts
2008-08-18 10:19 . 2008-08-18 10:19 <DIR> d-------- C:\temp\Adam_And_Cindi
2008-08-18 10:19 . 2008-08-18 10:20 <DIR> d-------- C:\temp\100NIKON
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\New Folder
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\KoiGif
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\graffiti
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\Gigoit
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\For Walgreens
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\facebook2
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\facebook
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\ext18866
2008-08-18 10:18 . 2008-08-18 10:18 <DIR> d-------- C:\temp\cat
2008-08-18 10:18 . 2008-08-18 10:19 <DIR> d-------- C:\temp\Belly Dance
2008-08-18 10:17 . 2008-08-18 10:17 <DIR> d-------- C:\temp\TripAdvisor
2008-08-18 10:17 . 2008-08-18 10:17 <DIR> d-------- C:\temp\StarWarsDVDs
2008-08-18 10:17 . 2008-08-18 10:17 <DIR> d-------- C:\temp\space
2008-08-18 10:17 . 2008-08-18 10:17 <DIR> d-------- C:\temp\SCI
2008-08-18 10:17 . 2008-08-18 10:17 <DIR> d-------- C:\temp\RadioactiveWine
2008-08-18 10:17 . 2008-08-18 10:18 <DIR> d-------- C:\temp\Nikon
2008-08-18 10:17 . 2008-08-18 14:52 <DIR> d-------- C:\temp
2008-08-18 10:16 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-18 10:09 . 2008-08-18 10:15 <DIR> d-------- C:\Program Files\GetRight
2008-08-18 10:09 . 2008-08-18 10:16 <DIR> d-------- C:\Documents and Settings\adam\Application Data\GetRight
2008-08-18 10:07 . 2008-08-18 15:01 <DIR> d-------- C:\Documents and Settings\adam\Application Data\Yahoo!
2008-08-18 10:02 . 2008-08-18 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-18 10:00 . 2008-08-18 10:00 4,128 --a------ C:\INFCACHE.1
2008-08-18 09:56 . 2008-08-18 15:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-18 09:56 . 2008-08-18 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-18 09:51 . 2008-08-18 09:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-18 09:44 . 2008-08-18 09:46 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
2008-08-18 09:35 . 2008-08-18 09:35 <DIR> d-------- C:\WINDOWS\SchCache
2008-08-18 09:28 . 2008-08-18 09:28 <DIR> d-------- C:\Program Files\WexTech
2008-08-18 09:28 . 2008-08-18 09:28 <DIR> d-------- C:\Program Files\Common Files\WexTech Shared
2008-08-18 09:28 . 2008-08-18 09:28 <DIR> d-------- C:\Program Files\Common Files\LHSPF
2008-08-18 09:28 . 2008-08-18 09:28 <DIR> d-------- C:\Documents and Settings\adam\WINDOWS
2008-08-18 09:28 . 1998-08-04 10:22 111,616 --a------ C:\WINDOWS\system32\Ltih30tb.dll
2008-08-18 09:27 . 2008-08-18 10:25 <DIR> d-------- C:\WINDOWS\shellnew
2008-08-18 09:27 . 1999-07-15 07:45 417,792 --------- C:\WINDOWS\system32\fxdb.dll
2008-08-18 09:27 . 1998-11-03 13:38 204,800 --------- C:\WINDOWS\system32\adfactry.dll
2008-08-18 09:27 . 1998-11-03 13:38 123,392 --------- C:\WINDOWS\system32\dzip32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 17:53 --------- d-----w C:\Program Files\Google
2008-08-18 15:38 --------- d-----w C:\Program Files\McAfee
2008-08-18 15:26 --------- d-----w C:\Program Files\Corel
2008-08-18 15:20 --------- d-----w C:\Program Files\McAfee.com
2008-08-18 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-08-18 15:18 --------- d-----w C:\Program Files\Java
2008-08-18 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-11-26 14:47 1206600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 06:39 7323648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 05:15 151552]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 18:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 15:57 36640]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 15:48 479232]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 08:20 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-08-18 11:09:06 49254]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
Corel Registration.lnk.disabled [2008-08-18 09:37:16 918]
Desktop Application Director 9.LNK.disabled [2008-08-18 09:28:25 1952]
Microsoft Office.lnk.disabled [2008-08-18 10:25:43 1730]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Corel Photo Downloader"=C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 01:39]
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-18 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ADAM-Adam Woehler).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-08-18 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-08-18 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\adam\Application Data\Mozilla\Firefox\Profiles\y5aoxz39.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.yahoo.com/
FF -: plugin - C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npqtplugin8.dll
FF -: plugin - C:\Program Files\QuickTime\Plugins\npqtplugin8.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 16:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-08-18 16:18:28 - machine was rebooted [adam]
ComboFix-quarantined-files.txt 2008-08-18 22:18:25

Pre-Run: 113,194,864,640 bytes free
Post-Run: 113,214,865,408 bytes free

276 --- E O F --- 2008-08-18 18:49:13

#6 high5apparatus

high5apparatus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 18 August 2008 - 04:23 PM

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23, on 2008-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070516
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: Desktop Application Director 9.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lauer.local
O17 - HKLM\Software\..\Telephony: DomainName = lauer.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD23DE43-48F3-4966-AE4A-4C10FD5CC2C1}: NameServer = 192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lauer.local
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9062 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:39 AM

Posted 18 August 2008 - 04:54 PM

Hi there,

Good to know. :thumbsup: ComboFix still had some deletions, so good that you ran it. :) Have a look in the ComboFix log, under the section "Files Created from 2008-07-18 to 2008-08-18"

Can you tell me what all those are in temp folders?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 high5apparatus

high5apparatus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 18 August 2008 - 04:58 PM

as a former programmer... I keep a c:\temp folder as a habit. it's full of crap I haven't sorted through. I copied it over from my jump drive that I used to backup my data. It's all stuff I put there.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:39 AM

Posted 18 August 2008 - 05:54 PM

Hi,

Great. :thumbsup: As long as you know what they are, I won't try to nuke them. :)

I don't see anything malicious in that last HijackThis log. Still running all right? Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

You have some good protection in place, so I won't lecture you like I normally would. :)

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:39 AM

Posted 11 September 2008 - 05:24 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users