Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problems.. Administrative Rights Revoked And Registry Changed, Regedit, Task Manager, Run, C:\


  • This topic is locked This topic is locked
10 replies to this topic

#1 breakaway

breakaway

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 23 August 2008 - 08:38 PM

This is a new computer and when downloading some of the software i've used in the past like gimp, audacity, safari, ventrilo, etc. all of the sudden i was hit with a spyware/malware/virus blast. fake virus alerts, protection software, disability to see the start menu, run command, registry, task manager, c:\, display properties, all programs in start, control panel, etc. I have been reallowing parts of my registry such as task manager and run so that I have disabled some startup items and killed some rogue processes.

I'm to the point now where i can scan and fix things but there seems to be no end. Been scanning with AVG and over 60 trojans, 50 from malwarebytes, 20 from spybot, etc. have been removed but on a restart out of safe mode the madness continues and my administration problems come back and such.

EDIT: when messing with display properties and some other stuff, i get this error message (since running avg and such) "Cannot find file:///C:/windows/privacy_danger/index.htm'. Make sure the path or internet address is correct." I figure this might help on solving what is affecting my computer. It should be noted that while i'm waiting online i keep getting avg alerts about system32/heur and explorer.exe. I fixed privacy_danger hijackthis. Kapersky identified monder trojan, malwarebytes identified vundo and fakealert, and I've restored most of my functionality, though I know there are still infections. Spybot is finding a lot of registry changes that I am denying. Everytime I run a malwarebytes I get 3 infections now:

EDIT 2: After running some checking utilities including the ones you recommend (and some other hijack forums recommend) i believe i have cleaned my system. I no longer get the teatimer warnings and scans from avg, malwarebytes, and spybot come up clean everytime now. Here is my updated hijackthis log just for someone to check up on me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:20 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\ZONET\Mrv8000x.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0158E85C-2153-40D3-A656-DB8150554E82} - C:\WINDOWS\system32\yxnrrpeu.dll (file missing)
O2 - BHO: (no name) - {3adf74d4-9a82-4e8b-9e3c-0e14beae2b30} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {53301152-F0CB-4A4F-8281-42D2EBE39DCF} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60EF7E5D-E737-4CE0-BB27-995EA2A83405} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {99CE5B34-AF1E-4580-9CD6-EE6AFC8DFC09} - (no file)
O2 - BHO: (no name) - {a7cf2932-a8b9-4340-a224-1e7a6c8073f9} - (no file)
O2 - BHO: (no name) - {D1CD338D-85E7-48C7-BB0C-E858E9AE8D9B} - (no file)
O3 - Toolbar: qalkfxor - {F4FCB8FD-9E2C-43F3-8580-680B2D8EB138} - C:\WINDOWS\qalkfxor.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TeaTimer.lnk = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ZEW2505.lnk = C:\Program Files\ZONET\Mrv8000x.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 7748 bytes

Edited by breakaway, 24 August 2008 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:23 AM

Posted 24 August 2008 - 05:33 PM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 breakaway

breakaway
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 24 August 2008 - 06:19 PM

Thanks for helping out, here are the logs as requested. I had shortcuts for IE, cd drive, local disk, and ms antivirus appear on my desktop.

ComboFix 08-08-23.03 - SpanK 2008-08-24 19:14:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1581 [GMT -4:00]
Running from: C:\Documents and Settings\SpanK\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ahhkvvlp.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 17:15 . 2008-08-24 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-08-24 17:15 . 2008-08-24 17:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-24 15:58 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-24 15:58 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-24 15:41 . 2008-08-24 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-24 15:36 . 2008-06-23 12:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-24 15:36 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-24 15:36 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-24 15:36 . 2008-06-23 12:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-24 15:36 . 2008-06-23 12:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-24 15:36 . 2008-06-23 12:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-24 15:36 . 2008-06-23 12:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-24 15:36 . 2008-06-23 12:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-24 15:36 . 2008-06-23 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-24 13:03 . 2008-08-24 13:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-24 13:03 . 2008-08-24 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 13:02 . 2008-08-24 15:31 <DIR> d-------- C:\Program Files\Panda Security
2008-08-24 11:24 . 2008-08-24 11:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-24 11:23 . 2008-08-24 11:27 <DIR> d-------- C:\Documents and Settings\SpanK\.housecall6.6
2008-08-24 10:15 . 2008-08-24 10:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 10:15 . 2008-08-24 10:15 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\Malwarebytes
2008-08-24 10:15 . 2008-08-24 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 10:15 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-24 10:15 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 22:35 . 2008-08-23 22:36 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\leafChat
2008-08-23 22:34 . 2008-08-23 22:34 <DIR> d-------- C:\Program Files\leafChat 2
2008-08-23 20:57 . 2008-08-23 20:57 297 --a------ C:\WINDOWS\wininit.ini
2008-08-23 20:53 . 2008-08-23 20:53 <DIR> d-------- C:\WINDOWS\Sun
2008-08-23 20:38 . 2008-08-23 20:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-23 20:38 . 2008-08-23 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 20:11 . 2008-08-23 20:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 17:57 . 2008-08-24 18:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-23 17:54 . 2008-08-23 17:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-23 17:54 . 2008-08-23 17:54 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-23 17:54 . 2008-08-23 17:54 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-23 17:54 . 2008-08-23 17:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-23 17:53 . 2008-08-23 17:53 <DIR> d-------- C:\Program Files\AVG
2008-08-23 17:53 . 2008-08-23 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-23 16:30 . 2008-08-23 16:30 16,445,584 --a------ C:\WINDOWS\system32\windowblinds600_enhanced.exe
2008-08-23 16:30 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-08-23 15:54 . 2008-08-23 15:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-23 15:48 . 2008-08-23 17:51 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-23 15:48 . 2008-08-23 15:48 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\Windows Search
2008-08-23 15:48 . 2008-08-23 15:48 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-08-23 15:48 . 2008-08-23 15:48 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_btprot_01005.Wdf
2008-08-23 15:47 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-23 15:47 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-23 15:47 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-23 15:42 . 2008-04-13 20:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-23 15:41 . 2008-08-23 15:41 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-23 15:38 . 2008-07-22 10:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-23 15:38 . 2008-07-22 10:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-23 15:38 . 2008-07-22 10:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-08-23 15:28 . 2008-08-24 18:06 <DIR> d-------- C:\Program Files\Steam
2008-08-23 14:09 . 2008-08-23 14:09 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-08-23 14:09 . 2008-08-23 14:09 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-08-23 14:09 . 2008-08-23 14:09 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-08-23 14:02 . 2008-08-23 14:02 <DIR> d-------- C:\Program Files\Realtek
2008-08-23 13:58 . 2008-08-23 13:59 679 --a------ C:\WINDOWS\system32\SHORTCUT.INI
2008-08-23 13:57 . 2008-08-24 18:29 4,756 --a------ C:\WINDOWS\system32\LOCALSERVICE.INI
2008-08-23 13:57 . 2008-08-24 18:21 142 --a------ C:\WINDOWS\system32\REMOTEDEVICE.INI
2008-08-23 13:57 . 2008-08-24 18:29 96 --a------ C:\WINDOWS\system32\LOCALDEVICE.INI
2008-08-23 13:33 . 2008-08-23 13:33 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-08-23 13:32 . 2008-08-23 13:32 <DIR> d-------- C:\Program Files\IVT Corporation
2008-08-23 13:25 . 2008-08-23 16:34 <DIR> d-------- C:\Program Files\DNA
2008-08-23 13:25 . 2008-08-23 16:35 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\DNA
2008-08-23 11:24 . 2008-08-23 11:34 <DIR> d-------- C:\Documents and Settings\SpanK\Incomplete
2008-08-23 11:24 . 2008-08-23 11:34 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\LimeWire
2008-08-23 11:21 . 2008-08-23 11:21 <DIR> d-------- C:\Program Files\Java
2008-08-23 11:21 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-23 11:19 . 2008-08-23 11:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-23 11:17 . 2008-08-23 11:17 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-08-23 10:59 . 2008-08-23 13:33 32 --a------ C:\WINDOWS\0
2008-08-23 10:59 . 2008-08-23 10:59 0 --a------ C:\WINDOWS\system32\0
2008-08-23 10:50 . 2008-08-23 10:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-23 10:50 . 2008-08-23 10:50 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-23 10:50 . 2008-08-23 10:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-23 10:50 . 2008-08-23 10:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-23 10:49 . 2008-08-23 10:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-23 10:30 . 2008-08-23 10:30 <DIR> d--hs---- C:\Documents and Settings\SpanK\UserData
2008-08-23 02:14 . 2008-08-23 02:14 <DIR> d-------- C:\Program Files\Toshiba
2008-08-23 01:43 . 2008-08-23 01:43 <DIR> d-------- C:\bluetooth_temp.tos
2008-08-23 01:21 . 2008-08-23 01:21 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\skypePM
2008-08-23 01:21 . 2008-08-23 01:21 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-23 01:20 . 2008-08-23 01:20 0 --a------ C:\WINDOWS\tosOBEX.INI
2008-08-23 01:18 . 2008-08-23 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-23 00:45 . 2008-08-23 00:45 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\TOSHIBA
2008-08-22 22:46 . 2004-12-22 01:32 369,024 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-08-22 22:46 . 2004-12-22 01:32 184,320 --a------ C:\WINDOWS\system32\BCMWLU00.EXE
2008-08-22 22:40 . 2008-08-23 14:07 <DIR> d-------- C:\Documents and Settings\SpanK\Application Data\Ventrilo
2008-08-22 22:37 . 2008-08-22 22:37 <DIR> d-------- C:\Program Files\winpwn
2008-08-22 22:37 . 2008-08-23 10:02 <DIR> d-------- C:\Program Files\Simplify Media
2008-08-22 22:37 . 2008-08-23 15:45 <DIR> d-------- C:\Program Files\Battle for Wesnoth 1.4
2008-08-22 22:36 . 2008-08-22 22:36 <DIR> d-------- C:\Program Files\WinSCP
2008-08-22 22:36 . 2008-08-22 22:36 <DIR> d-------- C:\Program Files\TreeSizeFree
2008-08-22 22:35 . 2008-08-23 10:02 <DIR> d-------- C:\Program Files\iphone pwnage
2008-08-22 22:31 . 2008-08-22 22:31 <DIR> d-------- C:\Program Files\Ventrilo
2008-08-22 22:31 . 2008-08-22 22:31 <DIR> d-------- C:\Program Files\Audacity
2008-08-22 22:30 . 2008-08-23 20:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 21:15 . 2008-08-22 21:36 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-08-22 21:15 . 2008-08-22 21:36 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-08-22 19:35 . 2008-08-22 19:35 <DIR> d-------- C:\Program Files\Creative
2008-08-22 19:25 . 2008-08-23 14:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-22 18:34 . 2008-08-22 18:34 <DIR> dr-h----- C:\Documents and Settings\SpanK\Application Data\SecuROM
2008-08-22 18:34 . 2008-08-22 18:34 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-22 18:33 . 2008-08-23 13:28 13,596 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-08-22 18:30 . 2008-08-22 18:30 <DIR> d-------- C:\Program Files\QuickTime
2008-08-22 18:30 . 2008-08-22 18:30 <DIR> d-------- C:\Program Files\iTunes
2008-08-22 18:30 . 2008-08-22 18:30 <DIR> d-------- C:\Program Files\iPod
2008-08-22 18:30 . 2008-08-22 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-22 18:29 . 2008-08-24 15:33 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-22 18:29 . 2008-08-22 18:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-22 18:22 . 2008-08-22 18:22 <DIR> d-------- C:\Program Files\GameSpy
2008-08-22 18:21 . 2008-08-22 18:21 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-08-22 18:21 . 2008-08-22 18:21 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-22 18:21 . 2008-08-22 18:21 22,328 --a------ C:\Documents and Settings\SpanK\Application Data\PnkBstrK.sys
2008-08-22 18:20 . 2008-08-23 15:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-22 18:20 . 2008-08-22 18:20 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-08-22 18:20 . 2008-08-22 18:20 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-08-22 18:20 . 2008-08-22 18:20 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-08-22 18:08 . 2008-08-22 18:08 <DIR> d-------- C:\Program Files\Electronic Arts
2008-08-22 17:58 . 2008-08-22 17:58 <DIR> d-------- C:\Program Files\Mouse Driver
2008-08-22 17:58 . 2008-08-22 17:58 <DIR> d-------- C:\Program Files\KEMailKb
2008-08-22 17:58 . 2000-05-10 01:29 6,205 --a------ C:\WINDOWS\system32\LWBHMVXD.VXD
2008-08-22 17:58 . 2008-08-22 17:58 77 --a------ C:\WINDOWS\KEMailKb.UNI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 18:02 319,488 ----a-w C:\WINDOWS\HideWin.exe
2008-08-22 23:35 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-08-22 23:35 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-08-22 17:54 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-12 20:10 4,751,360 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-06 19:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-07-31 19:05 16,806,912 ----a-w C:\WINDOWS\RTHDCPL.EXE
2008-07-29 19:42 528,384 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-07-21 20:14 9,728 ----a-w C:\WINDOWS\system32\RtNicProp32.dll
2008-07-10 00:40 98,403 ----a-w C:\WINDOWS\system32\Bs2Res.dll
2008-07-09 14:48 540,758 ----a-w C:\WINDOWS\system32\Bscdlg.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-03 18:15 143,450 ----a-w C:\WINDOWS\system32\BsCommon.dll
2008-07-02 18:59 33,800 ----a-w C:\WINDOWS\system32\drivers\blueletaudio.sys
2008-07-02 18:59 27,528 ----a-w C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys
2008-07-02 18:58 38,920 ----a-w C:\WINDOWS\system32\drivers\btcusb.sys
2008-07-02 18:58 29,960 ----a-w C:\WINDOWS\system32\drivers\VcommMgr.sys
2008-07-02 18:58 26,248 ----a-w C:\WINDOWS\system32\drivers\IvtBtBus.sys
2008-07-02 18:58 15,368 ----a-w C:\WINDOWS\system32\btinstall.dll
2008-07-01 07:27 108,800 ----a-w C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-19 20:42 2,808,832 ----a-w C:\WINDOWS\ALCWZRD.EXE
2008-06-19 20:27 9,715,200 ----a-w C:\WINDOWS\RTLCPL.EXE
2008-06-19 20:20 57,344 ----a-w C:\WINDOWS\ALCMTR.EXE
2008-06-18 22:01 77,824 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-06-10 19:00 225,364 ----a-w C:\WINDOWS\system32\BsSDK.dll
2008-06-04 22:30 9,728 ----a-w C:\WINDOWS\system32\BsMonUI.dll
2008-06-04 22:30 57,430 ----a-w C:\WINDOWS\system32\btfunc.dll
2008-06-04 22:30 53,248 ----a-w C:\WINDOWS\system32\HtmPrintHelper.dll
2008-06-04 22:30 405,589 ----a-w C:\WINDOWS\system32\BsUI.dll
2008-06-04 22:30 278,647 ----a-w C:\WINDOWS\system32\outlookAddin.dll
2008-06-04 22:30 18,432 ----a-w C:\WINDOWS\system32\BsMonSvr.dll
2008-06-04 22:29 622,693 ----a-w C:\WINDOWS\system32\BSShell.dll
2008-06-04 22:29 114,788 ----a-w C:\WINDOWS\system32\BsProfileFunc.dll
2008-06-04 22:29 114,774 ----a-w C:\WINDOWS\system32\versit.dll
2008-06-04 22:28 94,314 ----a-w C:\WINDOWS\system32\BsHelpCSps.dll
2008-06-04 22:28 520,307 ----a-w C:\WINDOWS\system32\BlueSoleilCSps.dll
2008-06-04 22:27 28,766 ----a-w C:\WINDOWS\system32\PlayerCtrl.dll
2008-06-04 22:27 28,672 ----a-w C:\WINDOWS\system32\BsMobileCSps.dll
2008-06-04 22:27 118,880 ----a-w C:\WINDOWS\system32\BsMobileSDK.dll
2008-06-04 22:26 28,760 ----a-w C:\WINDOWS\system32\BsTrace.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-07-18 11:34 234496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:31 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-23 17:53 1232152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 20:12 110592 C:\WINDOWS\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2008-05-16 14:31 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\SpanK\Start Menu\Programs\Startup\
TeaTimer.lnk - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-23 20:38:45 1832272]
ZEW2505.lnk - C:\Program Files\ZONET\Mrv8000x.exe [2008-08-22 15:14:04 12877824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoLogoff"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-08-23 13:25 342336 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2004-07-25 20:50 401667 C:\PROGRA~1\KEMailKb\KEMailKb.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:31 13529088 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:31 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2008-06-19 16:20 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 14:31 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-07-31 15:05 16806912 C:\WINDOWS\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Battle for Wesnoth 1.4\\wesnothd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;C:\WINDOWS\system32\Drivers\BtHidBus.sys [2008-01-21 19:28]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-23 17:54]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-23 17:53]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-23 17:53]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-23 17:54]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2008-07-18 11:34]
R2 BsMobileCS;BsMobileCS;C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-06-04 18:26]
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2008-06-04 18:28]
R3 IvtBtBUs;IVT Bluetooth Bus Service;C:\WINDOWS\system32\Drivers\IvtBtBus.sys [2008-07-02 14:58]
R3 MRVW225;Zonet 802.11g USB Drive for Windows XP;C:\WINDOWS\system32\DRIVERS\MRVW225.sys [2005-12-21 05:44]
S3 BTIAUSB;Generic Bluetooth Device;C:\WINDOWS\system32\DRIVERS\btiausb.sys [2008-07-30 09:04]
S3 BTPROT;Generic Bluetooth Filter;C:\WINDOWS\system32\DRIVERS\btprot.sys [2008-08-02 10:22]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0158E85C-2153-40D3-A656-DB8150554E82} - C:\WINDOWS\system32\yxnrrpeu.dll
BHO-{3adf74d4-9a82-4e8b-9e3c-0e14beae2b30} - (no file)
BHO-{53301152-F0CB-4A4F-8281-42D2EBE39DCF} - (no file)
BHO-{60EF7E5D-E737-4CE0-BB27-995EA2A83405} - (no file)
BHO-{99CE5B34-AF1E-4580-9CD6-EE6AFC8DFC09} - (no file)
BHO-{a7cf2932-a8b9-4340-a224-1e7a6c8073f9} - (no file)
BHO-{D1CD338D-85E7-48C7-BB0C-E858E9AE8D9B} - (no file)
Toolbar-{F4FCB8FD-9E2C-43F3-8580-680B2D8EB138} - C:\WINDOWS\qalkfxor.dll
ShellExecuteHooks-{53301152-F0CB-4A4F-8281-42D2EBE39DCF} - (no file)
MSConfigStartUp-14d3a602 - C:\WINDOWS\system32\plvvkhha.dll
MSConfigStartUp-Antivirus - C:\Program Files\MSA\MSA.exe
MSConfigStartUp-BM17e0959e - C:\WINDOWS\system32\iqqdnrxm.dll
MSConfigStartUp-lphcpakj0e7da - C:\WINDOWS\system32\lphcpakj0e7da.exe
MSConfigStartUp-Somefox - C:\DOCUME~1\SpanK\LOCALS~1\Temp\338.tmp.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 -: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 19:15:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-24 19:16:15
ComboFix-quarantined-files.txt 2008-08-24 23:16:13

Pre-Run: 274,878,758,912 bytes free
Post-Run: 274,872,934,400 bytes free

307 --- E O F --- 2008-08-24 19:43:36

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TeaTimer.lnk = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ZEW2505.lnk = C:\Program Files\ZONET\Mrv8000x.exe
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5832 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:23 AM

Posted 24 August 2008 - 06:36 PM

Hi,

This looks OK again.

Check and fix next entry in HijackThis:

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

Also, you have some strange policies being set which don't make sense anyway since the values are not correct and some of the policies being set are created under the wrong key. No clue who has set them there.... because it doesn't look like a tool did that, but rather someone who tinkered with this previously.

So do next please..

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=-
"NoUserNameInStartMenu"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 breakaway

breakaway
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 24 August 2008 - 06:50 PM

Did what you requested though I don't notice any changes. I still have shortcuts for IE, cd drive, local disk, and ms antivirus on my desktop that appeared after combofix ran.
EDIT: Meant to say that this is a less than 48 hour old computer that I purchased from ibuypower and the only registry things i have personally changed were to get my time back (from saying virus alert). Other than that I have not done anything with registry.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TeaTimer.lnk = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ZEW2505.lnk = C:\Program Files\ZONET\Mrv8000x.exe
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5758 bytes

Edited by breakaway, 24 August 2008 - 06:52 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:23 AM

Posted 24 August 2008 - 06:56 PM

Hi,

I still have shortcuts for IE, cd drive, local disk,

Those are the default icons that are present when you install XP though. Combofix restored them again. If you don't want them, just delete them.

The ms antivirus icon is not a standard one and created by the malware you were dealing with, so you can delete that one as well. It's only a shortcut though - the program was already deleted previously.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 breakaway

breakaway
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 24 August 2008 - 06:59 PM

So is that it? Am I clean? I thought I was clean before when I ran everything but I wasn't sure. I was having problems with the virus recreating itself for awhile. I would like to restart then post a hijackthis log for you to double check because that's when the problems come back.

Edited by breakaway, 24 August 2008 - 07:05 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:23 AM

Posted 24 August 2008 - 07:21 PM

Hi,

I don't see anything malicious in your log again though, so it should be gone and won't come back... Unless you visit the same site again where you got infected with this one.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 breakaway

breakaway
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 24 August 2008 - 07:23 PM

Alright, thanks. I believe I got infected while trying to download windowblinds... oh well. Thanks again for your time and ablilities.

Based on what I saw in other posts I need to uninstall combofix and do some other things.. right?

Edited by breakaway, 24 August 2008 - 07:25 PM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:23 AM

Posted 25 August 2008 - 02:51 AM

while trying to download windowblinds...

Most probably a hacked/cracked version - an anyway, not downloaded via the stardock website.
That's how most people get infected.
You were lucky this time, because what if it installed a nasty backdoor instead which collected all your passwords and other personal info?
That's why, stay away from illegal sofware - get it via the developers site instead if you don't want to get infected.

Yes, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:23 AM

Posted 07 September 2008 - 07:09 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users