Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'fake Alert'/zlob


  • This topic is locked This topic is locked
12 replies to this topic

#1 Sharkky9

Sharkky9

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 27 August 2008 - 06:04 PM

Hi guys. My computer is infected with a rogue antispyware infection. I have run AdAware, Spybot, and SmitFraudFix. The problems associated with the original infection have mostly been solved(Incessant pop-up windows, etc.) However, the one remaining problem is a notification in my toolbar declaring "Tracking Process Activated. ***ADDRESS:0x17DA839A *** Cannot deactivate spyware program. Click this balloon to fix this problem."
Here is a copy of my HijackThis log:
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Norton\Nav\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Norton\Nav\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton\Nav\NavShExt.dll
O3 - Toolbar: Stanford GSB Alumni Toolbar - {0EE3F0B3-6A98-44E2-BEC4-981E4DE63D62} - C:\Program Files\Stanford GSB Alumni Toolbar\alumtoolbar.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d8b8e25d] rundll32.exe "C:\WINDOWS\system32\peaedlmd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122687138953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130184180171
O20 - AppInit_DLLs: feboxh.dll ptzaip.dll qmcxxm.dll dhitvu.dll zfpsqt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Norton\Nav\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Norton\Nav\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Norton\Nav\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10080 bytes


Thank you all so much in advance!

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 30 August 2008 - 02:20 AM

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Sharkky9

Sharkky9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 31 August 2008 - 01:05 AM

Will do tomorrow, and let you know. Thanks a lot for your response.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 31 August 2008 - 12:44 PM

waiting for ya..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Sharkky9

Sharkky9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 31 August 2008 - 05:07 PM

Sorry for the delay, its actually my Dad's computer that we are discussing.
Anyways, here is a copy of the combofix log:
ComboFix 08-08-30.03 - Irene 2008-08-31 14:40:42.1 - NTFSx86
Running from: C:\Documents and Settings\Irene\Desktop\ComboFix
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Irene\Application Data\Adobe\crc.dat
C:\Documents and Settings\Irene\Application Data\macromedia\Flash Player\#SharedObjects\HRM9RGXN\bin.clearspring.com
C:\Documents and Settings\Irene\Application Data\macromedia\Flash Player\#SharedObjects\HRM9RGXN\interclick.com
C:\Documents and Settings\Irene\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Irene\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\envk.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\bycjxpsf.ini
C:\WINDOWS\system32\cvjdegrs.ini
C:\WINDOWS\system32\DcMWwGgh.ini
C:\WINDOWS\system32\DcMWwGgh.ini2
C:\WINDOWS\system32\dhitvu.dll
C:\WINDOWS\system32\dkoppvsb.dll
C:\WINDOWS\system32\dmldeaep.ini
C:\WINDOWS\system32\euhbbpfc.dll
C:\WINDOWS\system32\feboxh.dll
C:\WINDOWS\system32\fspxjcyb.dll
C:\WINDOWS\system32\fwbrnjvy.dll
C:\WINDOWS\system32\gdhlccrw.dll
C:\WINDOWS\system32\gpsika.dll
C:\WINDOWS\system32\huyxhoju.dll
C:\WINDOWS\system32\iSutsBeg.ini
C:\WINDOWS\system32\iSutsBeg.ini2
C:\WINDOWS\system32\jcycwt.dll
C:\WINDOWS\system32\kyrmrrxs.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdlpjxjv.ini
C:\WINDOWS\system32\mlJBSkjK.dll
C:\WINDOWS\system32\nnomfvyi.ini
C:\WINDOWS\system32\nvfqsgiu.ini
C:\WINDOWS\system32\ptzaip.dll
C:\WINDOWS\system32\qmcxxm.dll
C:\WINDOWS\system32\sklgneek.dll
C:\WINDOWS\system32\tacbdits.ini
C:\WINDOWS\system32\unspjemv.ini
C:\WINDOWS\system32\vtUklMFX.dll
C:\WINDOWS\system32\wvUopQgF.dll
C:\WINDOWS\system32\wvygldrt.dll
C:\WINDOWS\system32\xjcxpexb.ini
C:\WINDOWS\system32\ygobuuqk.dll
C:\WINDOWS\system32\zapfwt.dll
C:\WINDOWS\system32\zfpsqt.dll

----- BITS: Possible infected sites -----

http://hqsextube08.com
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-31 14:41 . 2008-08-31 14:41 0 --a------ C:\WINDOWS\system32\bycjxpsf.tmp
2008-08-31 06:06 . 2008-08-31 06:06 125,056 --a------ C:\WINDOWS\system32\xqrmyeeg.dll
2008-08-31 06:06 . 2008-08-31 06:06 125,056 --a------ C:\WINDOWS\system32\keaima.dll
2008-08-27 15:55 . 2008-08-27 15:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 11:50 . 2008-08-26 11:50 131,584 --a------ C:\Program Files\KB56920.exe
2008-08-26 11:50 . 2008-08-26 11:50 126,976 --a------ C:\WINDOWS\system32\wx15508.dll
2008-08-25 19:19 . 2008-08-25 19:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-25 19:19 . 2008-08-25 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-25 19:18 . 2008-08-25 19:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-25 19:16 . 2008-08-25 19:16 <DIR> d-------- C:\Program Files\SmartPopupBlocker
2008-08-24 23:01 . 2008-08-31 14:49 200,704 --a------ C:\WINDOWS\SysNotifier.exe
2008-08-24 23:00 . 2008-08-24 23:00 303,104 --a------ C:\WINDOWS\system32\ylehiotw.exe
2008-08-23 16:53 . 2008-08-23 16:53 323,328 --a------ C:\WINDOWS\system32\hgGwWMcD.dll
2008-08-23 15:27 . 2008-08-27 15:32 3,692 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-23 13:25 . 2008-08-23 13:25 <DIR> d-------- C:\Program Files\AVG
2008-08-23 13:13 . 2008-08-23 13:13 131,584 --a------ C:\Program Files\KB46036.exe
2008-08-23 13:13 . 2008-08-23 13:13 126,976 --a------ C:\WINDOWS\kx61465.dll
2008-08-23 13:10 . 2008-08-23 10:26 344,064 --a------ C:\WINDOWS\rodqgpvlstq.dll
2008-08-23 13:10 . 2008-08-23 13:10 126,976 --a------ C:\WINDOWS\kx52023.dll
2008-08-23 12:42 . 2008-08-23 12:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-23 12:42 . 2008-08-23 12:42 <DIR> d-------- C:\Program Files\AskSBar
2008-08-23 12:42 . 2008-08-23 14:55 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\Azureus
2008-08-23 12:42 . 2008-08-23 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-08-22 16:07 . 2008-08-22 16:48 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\Apple Computer
2008-08-22 16:06 . 2008-08-22 16:06 <DIR> d-------- C:\Program Files\iTunes
2008-08-22 16:06 . 2008-08-22 16:06 <DIR> d-------- C:\Program Files\iPod
2008-08-22 16:06 . 2008-08-22 16:06 <DIR> d-------- C:\Program Files\Bonjour
2008-08-22 16:05 . 2008-08-22 16:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-22 16:05 . 2008-08-22 16:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-22 16:05 . 2008-08-22 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-22 16:05 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-22 16:02 . 2008-04-13 17:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-22 16:02 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-22 16:02 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-22 16:02 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-20 09:09 . 2008-08-20 09:27 40 --a------ C:\WINDOWS\opt_1440.ini
2008-08-20 09:09 . 2008-08-20 09:09 0 --a------ C:\WINDOWS\Brohl144.ini
2008-08-20 09:06 . 2002-02-22 19:43 139,264 --a------ C:\WINDOWS\brunin144.dll
2008-08-20 09:06 . 2008-08-20 10:17 11,568 --a------ C:\WINDOWS\HL-1440.INI
2008-08-16 19:08 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-16 19:07 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-11 11:41 . 2008-08-11 11:41 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\Arcsoft
2008-08-11 11:26 . 2008-08-11 11:26 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\SupportSoft
2008-08-11 10:46 . 2008-08-11 10:46 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-08-11 10:46 . 2008-08-11 10:46 <DIR> d-------- C:\Program Files\chatsupport.palm.com
2008-08-07 05:20 . 2008-08-07 05:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-30 06:06 . 2008-07-30 06:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-30 06:06 . 2008-07-30 06:06 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-30 06:06 . 2008-07-30 06:06 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-30 06:06 . 2008-07-30 06:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-30 06:04 . 2008-07-30 06:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-30 05:58 . 2008-07-30 05:58 <DIR> d-------- C:\WINDOWS\EHome
2008-07-28 13:12 . 2008-04-13 17:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-07-28 13:11 . 2008-04-13 17:11 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2008-07-07 13:26 . 2008-07-07 13:26 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 13:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 19:59 --------- d-----w C:\Documents and Settings\Irene\Application Data\Webroot
2008-08-26 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 02:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-23 20:32 --------- d-----w C:\Program Files\Stanford GSB Alumni Toolbar
2008-08-23 19:11 --------- d-----w C:\Program Files\Brownie
2008-08-22 23:06 --------- d-----w C:\Program Files\QuickTime
2008-08-20 16:26 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 16:06 --------- d-----w C:\Program Files\Brother
2008-08-14 15:10 --------- d-----w C:\Program Files\Java
2008-08-11 17:25 --------- d-----w C:\Program Files\palmOne
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43}]
2008-08-23 16:53 323328 --a------ C:\WINDOWS\system32\hgGwWMcD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3753B44D-E02F-48B7-81B1-19A377BCCB63}]
2008-08-24 23:00 299008 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad}]
2008-08-31 06:06 125056 --a------ C:\WINDOWS\system32\keaima.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 14:33 155648]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 12:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 19:00 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-27 11:37 59040]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-20 07:55 100056]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2005-05-26 06:02 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2005-05-26 06:04 868352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 08:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

C:\Documents and Settings\Irene\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 17:03:10 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avicodec]
2008-08-24 23:00 299008 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 12:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mjpg"= mcmjpg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 05:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 14:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 05:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-18 10:55 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 07:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 08:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-05-09 06:25 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2005-05-26 06:05 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 15:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-06 23:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 08:55]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00]
.
Contents of the 'Scheduled Tasks' folder

2008-08-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-23 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Irene.job
- C:\Norton\Nav\Navw32.exe [2005-10-19 10:54]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3B4A0A4E-0542-4322-8C32-99DFCD406B6F} - C:\WINDOWS\system32\geBstuSi.dll
Toolbar-{0EE3F0B3-6A98-44E2-BEC4-981E4DE63D62} - C:\Program Files\Stanford GSB Alumni Toolbar\alumtoolbar.dll
WebBrowser-{0EE3F0B3-6A98-44E2-BEC4-981E4DE63D62} - C:\Program Files\Stanford GSB Alumni Toolbar\alumtoolbar.dll
HKLM-Run-d8b8e25d - C:\WINDOWS\system32\fspxjcyb.dll
MSConfigStartUp-mmtask - C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-Spyware Cleaner - C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Irene\Application Data\Mozilla\Firefox\Profiles\esqxwlpp.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 14:51:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\BRSVC01A.EXE
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Norton\Nav\NAVAPSVC.EXE
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Norton\Nav\IWP\NPFMNTOR.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SysNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-31 15:01:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-31 22:01:24

Pre-Run: 19,141,185,536 bytes free
Post-Run: 19,133,915,136 bytes free

320 --- E O F --- 2008-08-20 16:26:27



And here is a copy of the Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05:15, on 8/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Norton\Nav\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Norton\Nav\IWP\NPFMntor.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://YAHOO.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton\Nav\NavShExt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122687138953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130184180171
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Norton\Nav\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Norton\Nav\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Norton\Nav\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9718 bytes


Thanks alot!

Edited by Sharkky9, 31 August 2008 - 05:10 PM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 31 August 2008 - 05:47 PM

Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll
      C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
  • Click on the Upload button. you can submit only one file per entry
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\bycjxpsf.tmp
C:\WINDOWS\system32\xqrmyeeg.dll
C:\WINDOWS\system32\keaima.dll
C:\Program Files\KB56920.exe
C:\WINDOWS\system32\wx15508.dll
C:\WINDOWS\SysNotifier.exe
C:\WINDOWS\system32\ylehiotw.exe
C:\WINDOWS\system32\hgGwWMcD.dll
C:\Program Files\KB46036.exe
C:\WINDOWS\kx61465.dll
C:\WINDOWS\rodqgpvlstq.dll
C:\WINDOWS\kx52023.dll

Folder::
C:\Program Files\AskSBar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org/VirusTotal
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Sharkky9

Sharkky9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 01 September 2008 - 02:37 PM

Here are the results of virscan.org scans:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
VirSCAN.org Scanned Report :
Scanner results: 33% Scanner(12/36) found malware!
File Name : tfpapi.dll
File Size : 299008 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : d8fa54f0b61428f42b43aa40fb2972ac
SHA1 : 8505f1adc3c76def653af86a62b30d4da333b60d
Online report : http://virscan.org/report/4080bef4d3fca951...aa24aa07a7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.27 2008-08-27 2.52 -
AhnLab V3 2008.08.29.00 2008.08.29 2008-08-29 0.89 -
AntiVir 7.8.1.23 7.0.6.88 2008-08-28 2.25 PHISH/FraudTool.XPShield.H
Arcavir 1.0.5 200808281354 2008-08-28 1.21 Riskware.Fraudtool.Xpshield.H
AVAST! 3.0.1 080828-0 2008-08-28 0.71 Win32:Trojan-gen {Other}
AVG 7.5.51.442 270.6.12/1640 2008-08-28 1.55 -
BitDefender 7.60825.1660182 7.20712 2008-08-29 3.19 -
CA (VET) 9.0.0.143 31.6.6054 2008-08-28 5.10 -
ClamAV 0.93.3 8112 2008-08-29 0.07 -
Comodo 2.11 2.0.0.630 2008-08-28 0.43 -
CP Secure 1.1.0.715 2008.08.29 2008-08-29 6.52 -
Dr.Web 4.44.0.9170 2008.08.28 2008-08-28 3.15 -
ewido 4.0.0.2 2008.08.28 2008-08-28 2.56 -
F-Prot 4.4.4.56 20080828 2008-08-28 0.99 Possible W32/Heuristic-KPP!Eldorado (not disinfectable)
F-Secure 5.51.6100 2008.08.29.01 2008-08-29 3.17 -
Fortinet 2.81-3.11 9.481 2008-08-28 1.75 -
ViRobot 20080828 2008.08.28 2008-08-28 0.40 -
Ikarus T3.1.01.34 2008.08.28.71358 2008-08-28 3.19 Trojan-Downloader.Win32.Renos.Z
JiangMin 11.0.706 2008.08.28 2008-08-28 1.19 -
Kaspersky 5.5.10 2008.08.28 2008-08-28 0.04 not-a-virus:FraudTool.Win32.XPShield.h
KingSoft 2008.1.14.15 2008.8.28.17 2008-08-28 0.58 -
McAfee 5.3.00 5371 2008-08-27 2.09 -
Microsoft 1.3807 2008.08.28 2008-08-28 4.28 TrojanDownloader:Win32/Renos.gen!Z
mks_vir 2.01 2008.08.25 2008-08-25 2.60 -
Norman 5.93.01 5.93.00 2008-08-28 5.00 -
Panda 9.05.01 2008.08.28 2008-08-28 2.04 Adware/XP-Shield
Trend Micro 8.700-1004 5.506.02 2008-08-28 0.02 TROJ_RENOS.AEZ
Quick Heal 9.50 2008.08.26 2008-08-26 1.67 FraudTool.XPShield.h (Not a Virus)
Rising 20.0 20.59.31.00 2008-08-28 0.74 -
Sophos 2.78.0 4.33 2008-08-29 1.65 -
Sunbelt 3.1.1582.1 2204 2008-08-25 0.42 XPShield
Symantec 1.3.0.24 20080828.003 2008-08-28 0.05 -
nProtect 2008-08-28.00 1982990 2008-08-28 3.62 -
The Hacker 6.3.0.6 v00064 2008-08-27 0.38 Aplicacion/XPShield.h (Unwanted)
VBA32 3.12.8.4 20080828.0615 2008-08-28 2.15 -
VirusBuster 4.5.11.10 10.84.14/623168 2008-08-28 0.96 -

C:\Program Files\chatsupport\palm.com\bin\tgsrvc.exe

VirSCAN.org Scanned Report :
Scanned time : 2008/09/01 12:08:24 (MST)
Scanner results: All Scanners reported not find malware!
File Name : tgsrvc.exe
File Size : 148768 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0e8be65daa22027624a7289090e3841e
SHA1 : d59b7e6c858bb8bb9af6dd3ccd2ab5f7d0ceefcd
Online report : http://virscan.org/report/eba72b17227df0fd...f358a9da3c.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.31 2008-08-31 2.54 -
AhnLab V3 2008.09.01.01 2008.09.01 2008-09-01 0.91 -
AntiVir 7.8.1.23 7.0.6.100 2008-09-01 2.27 -
Arcavir 1.0.5 200809011022 2008-09-01 1.21 -
AVAST! 3.0.1 080901-0 2008-09-01 0.71 -
AVG 7.5.51.442 270.6.14/1645 2008-09-01 1.55 -
BitDefender 7.60825.1692066 7.20769 2008-09-01 2.98 -
CA (VET) 9.0.0.143 31.6.6062 2008-09-01 6.67 -
ClamAV 0.93.3 8131 2008-09-01 0.05 -
Comodo 2.11 2.0.0.634 2008-09-01 0.64 -
CP Secure 1.1.0.715 2008.09.01 2008-09-01 6.54 -
Dr.Web 4.44.0.9170 2008.09.01 2008-09-01 3.18 -
ewido 4.0.0.2 2008.09.01 2008-09-01 2.75 -
F-Prot 4.4.4.56 20080831 2008-08-31 1.04 -
F-Secure 5.51.6100 2008.09.01.07 2008-09-01 3.26 -
Fortinet 2.81-3.11 9.502 2008-09-02 1.79 -
ViRobot 20080901 2008.09.01 2008-09-01 0.41 -
Ikarus T3.1.01.34 2008.09.01.71376 2008-09-01 3.36 -
JiangMin 11.0.706 2008.09.01 2008-09-01 1.19 -
Kaspersky 5.5.10 2008.09.01 2008-09-01 0.05 -
KingSoft 2008.1.14.15 2008.9.1.20 2008-09-01 0.64 -
McAfee 5.3.00 5373 2008-08-29 1.32 -
Microsoft 1.3807 2008.09.01 2008-09-01 4.15 -
mks_vir 2.01 2008.08.25 2008-08-25 2.63 -
Norman 5.93.01 5.93.00 2008-09-01 5.00 -
Panda 9.05.01 2008.08.31 2008-08-31 2.04 -
Trend Micro 8.700-1004 5.512.04 2008-09-01 0.03 -
Quick Heal 9.50 2008.08.29 2008-08-29 1.89 -
Rising 20.0 20.60.01.00 2008-09-01 0.76 -
Sophos 2.78.0 4.33 2008-09-02 1.69 -
Sunbelt 3.1.1592.1 2210 2008-08-29 0.42 -
Symantec 1.3.0.24 20080901.003 2008-09-01 0.05 -
nProtect 2008-09-01.01 2033179 2008-09-01 3.65 -
The Hacker 6.3.0.6 v00069 2008-09-01 0.40 -
VBA32 3.12.8.4 20080831.1339 2008-08-31 1.27 -
VirusBuster 4.5.11.10 10.86.2/623319 2008-09-01 0.91 -
--





Unfortunately, I was not able to complete the other step. Upon dropping CFScript.txt onto ComboFix.exe ComboFix starts up. However, it gives the following message:
"Please Wait.
ComboFix is preparing to run.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process."


I also tried rebooting and completing this step, which yielded the same results.
I also tried rebooting in safe mode and completing this step, which yielded the same results.

Thanks so much for your ongoing support!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 01 September 2008 - 09:57 PM

Hello, The file that I asked you to scan with VirScan.org was C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll but perhaps you have scanned the wrong file C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\tfpapi.dll Please scan the requested file via VirScan.org again and post the result here :thumbsup:



NEXT


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\bycjxpsf.tmp
    C:\WINDOWS\system32\xqrmyeeg.dll
    C:\WINDOWS\system32\keaima.dll
    C:\Program Files\KB56920.exe
    C:\WINDOWS\system32\wx15508.dll
    C:\WINDOWS\SysNotifier.exe
    C:\WINDOWS\system32\ylehiotw.exe
    C:\WINDOWS\system32\hgGwWMcD.dll
    C:\Program Files\KB46036.exe
    C:\WINDOWS\kx61465.dll
    C:\WINDOWS\rodqgpvlstq.dll
    C:\WINDOWS\kx52023.dll
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\tfpapi.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad}
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If above OTMoveIt2 link above is broken, please use this link instead..



Then please run ComboFix normally again..



Please post these logs on your next reply..

1. VirScan.org
2. OTMoveIt2
3. ComboFix
4. A fresh HijackThis log (after running ComboFix)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Sharkky9

Sharkky9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 02 September 2008 - 07:46 PM

Alright everything went as planned.
here are the logs, in order.

1. Virscan.org log

Scanned time : 2008/09/02 17:13:07 (MST)
Scanner results: 33% Scanner(12/36) found malware!
File Name : avicodec.dll
File Size : 299008 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : d8fa54f0b61428f42b43aa40fb2972ac
SHA1 : 8505f1adc3c76def653af86a62b30d4da333b60d
Online report : http://virscan.org/report/4080bef4d3fca951...aa24aa07a7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.09.01 2008-09-01 2.54 -
AhnLab V3 2008.09.03.00 2008.09.03 2008-09-03 0.88 -
AntiVir 7.8.1.23 7.0.6.106 2008-09-02 2.30 PHISH/FraudTool.XPShield.H
Arcavir 1.0.5 200809021207 2008-09-02 1.21 Riskware.Fraudtool.Xpshield.H
AVAST! 3.0.1 080902-0 2008-09-02 0.71 Win32:Trojan-gen {Other}
AVG 7.5.52.442 270.6.15/1648 2008-09-02 1.55 -
BitDefender 7.60825.1703748 7.20785 2008-09-03 3.25 -
CA (VET) 9.0.0.143 31.6.6064 2008-09-02 5.36 -
ClamAV 0.93.3 8142 2008-09-03 0.08 -
Comodo 2.11 2.0.0.635 2008-09-02 0.44 -
CP Secure 1.1.0.715 2008.09.01 2008-09-01 6.55 -
Dr.Web 4.44.0.9170 2008.09.02 2008-09-02 3.16 -
ewido 4.0.0.2 2008.09.03 2008-09-03 2.53 -
F-Prot 4.4.4.56 20080902 2008-09-02 0.99 Possible W32/Heuristic-KPP!Eldorado (not disinfectable)
F-Secure 5.51.6100 2008.09.03.02 2008-09-03 3.22 -
Fortinet 2.81-3.11 9.505 2008-09-02 1.79 -
ViRobot 20080902 2008.09.02 2008-09-02 0.40 -
Ikarus T3.1.01.34 2008.09.02.71384 2008-09-02 3.26 Trojan-Downloader.Win32.Renos.Z
JiangMin 11.0.706 2008.09.02 2008-09-02 1.20 -
Kaspersky 5.5.10 2008.09.02 2008-09-02 0.04 not-a-virus:FraudTool.Win32.XPShield.h
KingSoft 2008.1.14.15 2008.9.2.20 2008-09-02 0.61 -
McAfee 5.3.00 5374 2008-09-01 1.71 -
Microsoft 1.3903 2008.09.03 2008-09-03 3.99 TrojanDownloader:Win32/Renos.gen!Z
mks_vir 2.01 2008.08.25 2008-08-25 2.58 -
Norman 5.93.01 5.93.00 2008-09-02 5.00 -
Panda 9.05.01 2008.09.02 2008-09-02 2.04 Adware/XP-Shield
Trend Micro 8.700-1004 5.518.03 2008-09-02 0.03 TROJ_RENOS.AEZ
Quick Heal 9.50 2008.09.02 2008-09-02 1.68 FraudTool.XPShield.h (Not a Virus)
Rising 20.0 20.60.11.00 2008-09-02 0.75 -
Sophos 2.78.0 4.33 2008-09-03 1.67 -
Sunbelt 3.1.1582.1 2204 2008-08-25 0.40 XPShield
Symantec 1.3.0.24 20080902.016 2008-09-02 0.05 -
nProtect 2008-09-02.00 2039345 2008-09-02 3.69 -
The Hacker 6.3.0.6 v00070 2008-09-02 0.39 Aplicacion/XPShield.h (Unwanted)
VBA32 3.12.8.4 20080902.0610 2008-09-02 2.10 -
VirusBuster 4.5.11.10 10.86.3/623357 2008-09-02 0.96 -


2. OTMoveIt2 Log

Explorer killed successfully
C:\WINDOWS\system32\bycjxpsf.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xqrmyeeg.dll
C:\WINDOWS\system32\xqrmyeeg.dll NOT unregistered.
C:\WINDOWS\system32\xqrmyeeg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\keaima.dll
C:\WINDOWS\system32\keaima.dll NOT unregistered.
C:\WINDOWS\system32\keaima.dll moved successfully.
C:\Program Files\KB56920.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\wx15508.dll
C:\WINDOWS\system32\wx15508.dll NOT unregistered.
C:\WINDOWS\system32\wx15508.dll moved successfully.
C:\WINDOWS\SysNotifier.exe moved successfully.
C:\WINDOWS\system32\ylehiotw.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGwWMcD.dll
C:\WINDOWS\system32\hgGwWMcD.dll NOT unregistered.
C:\WINDOWS\system32\hgGwWMcD.dll moved successfully.
C:\Program Files\KB46036.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\kx61465.dll
C:\WINDOWS\kx61465.dll NOT unregistered.
C:\WINDOWS\kx61465.dll moved successfully.
C:\WINDOWS\rodqgpvlstq.dll NOT unregistered.
C:\WINDOWS\rodqgpvlstq.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\kx52023.dll
C:\WINDOWS\kx52023.dll NOT unregistered.
C:\WINDOWS\kx52023.dll moved successfully.
File/Folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\tfpapi.dll not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad}\\ not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\etilqs_Pe3XkLqhyoAQ43gSxpal scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DF3127.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFE96C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEA79.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEAA3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\hsperfdata_Irene\3904 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09022008_171555

Files moved on Reboot...
File C:\DOCUME~1\Irene\LOCALS~1\Temp\etilqs_Pe3XkLqhyoAQ43gSxpal not found!
File C:\DOCUME~1\Irene\LOCALS~1\Temp\~DF3127.tmp not found!
C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFE96C.tmp moved successfully.
File C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEA79.tmp not found!
File C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEAA3.tmp not found!
File C:\DOCUME~1\Irene\LOCALS~1\Temp\hsperfdata_Irene\3904 not found!


3. ComboFix Log


Explorer killed successfully
C:\WINDOWS\system32\bycjxpsf.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xqrmyeeg.dll
C:\WINDOWS\system32\xqrmyeeg.dll NOT unregistered.
C:\WINDOWS\system32\xqrmyeeg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\keaima.dll
C:\WINDOWS\system32\keaima.dll NOT unregistered.
C:\WINDOWS\system32\keaima.dll moved successfully.
C:\Program Files\KB56920.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\wx15508.dll
C:\WINDOWS\system32\wx15508.dll NOT unregistered.
C:\WINDOWS\system32\wx15508.dll moved successfully.
C:\WINDOWS\SysNotifier.exe moved successfully.
C:\WINDOWS\system32\ylehiotw.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGwWMcD.dll
C:\WINDOWS\system32\hgGwWMcD.dll NOT unregistered.
C:\WINDOWS\system32\hgGwWMcD.dll moved successfully.
C:\Program Files\KB46036.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\kx61465.dll
C:\WINDOWS\kx61465.dll NOT unregistered.
C:\WINDOWS\kx61465.dll moved successfully.
C:\WINDOWS\rodqgpvlstq.dll NOT unregistered.
C:\WINDOWS\rodqgpvlstq.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\kx52023.dll
C:\WINDOWS\kx52023.dll NOT unregistered.
C:\WINDOWS\kx52023.dll moved successfully.
File/Folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\tfpapi.dll not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3135BCF4-DC4F-4355-9981-253EB6F6CF43}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d96a51ed-1a6f-4f24-b3d1-6a47ad82a2ad}\\ not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\etilqs_Pe3XkLqhyoAQ43gSxpal scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DF3127.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFE96C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEA79.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEAA3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\hsperfdata_Irene\3904 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09022008_171555

Files moved on Reboot...
File C:\DOCUME~1\Irene\LOCALS~1\Temp\etilqs_Pe3XkLqhyoAQ43gSxpal not found!
File C:\DOCUME~1\Irene\LOCALS~1\Temp\~DF3127.tmp not found!
C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFE96C.tmp moved successfully.
File C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEA79.tmp not found!
File C:\DOCUME~1\Irene\LOCALS~1\Temp\~DFEAA3.tmp not found!
File C:\DOCUME~1\Irene\LOCALS~1\Temp\hsperfdata_Irene\3904 not found!


4. HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:08, on 9/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Norton\Nav\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Norton\Nav\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://YAHOO.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton\Nav\NavShExt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d8b8e25d] rundll32.exe "C:\WINDOWS\system32\aunrmksj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122687138953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130184180171
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Norton\Nav\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Norton\Nav\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Norton\Nav\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9717 bytes






Thanks alot!

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 02 September 2008 - 10:52 PM

Hi,,, you posted OTMoveIt2 logs twice instead of ComboFix log :)


Ok.. Nevermind.. Lets do this..


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll
C:\WINDOWS\system32\aunrmksj.dll
EmptyTemp
purity
[start explorer]

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If above OTMoveIt2 link above is broken, please use this link instead..



NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [d8b8e25d] rundll32.exe "C:\WINDOWS\system32\aunrmksj.dll",b

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



NEXT


Please run ComboFix again.. Make sure you run it and post the correct log this time :thumbsup:


Please post these logs in your next reply..

1. OTMoveIt2
2. ComboFix
3. a fresh HijackThis log (after running ComboFix)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Sharkky9

Sharkky9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 03 September 2008 - 01:48 PM

Oh man, all those logs!
OK, I'll attempt to get it right this time.
In order:

OTMoveIt2

Explorer killed successfully
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll unregistered successfully.
File move failed. C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\aunrmksj.dll not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Irene\LOCALS~1\Temp\etilqs_AWBrd7Ji927wUlL72S89 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09032008_112231

Files moved on Reboot...
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll unregistered successfully.
File move failed. C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll scheduled to be moved on reboot.
File C:\DOCUME~1\Irene\LOCALS~1\Temp\etilqs_AWBrd7Ji927wUlL72S89 not found!



Combofix:


ComboFix 08-09-01.03 - Irene 2008-09-03 11:33:33.3 - NTFSx86
Running from: C:\Documents and Settings\Irene\Desktop\ComboFix.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 17:15 . 2008-09-02 17:15 <DIR> d-------- C:\_OTMoveIt
2008-09-01 08:24 . 2008-09-01 08:24 124,544 --a------ C:\WINDOWS\system32\igrqbogb.dll
2008-09-01 08:24 . 2008-09-01 08:24 124,544 --a------ C:\WINDOWS\system32\aluocs.dll
2008-08-27 15:55 . 2008-08-27 15:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 19:19 . 2008-08-25 19:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-25 19:19 . 2008-08-25 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-25 19:18 . 2008-08-25 19:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-25 19:16 . 2008-08-25 19:16 <DIR> d-------- C:\Program Files\SmartPopupBlocker
2008-08-23 15:27 . 2008-08-27 15:32 3,692 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-23 13:25 . 2008-08-23 13:25 <DIR> d-------- C:\Program Files\AVG
2008-08-23 12:42 . 2008-08-23 12:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-23 12:42 . 2008-08-23 12:42 <DIR> d-------- C:\Program Files\AskSBar
2008-08-23 12:42 . 2008-08-23 14:55 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\Azureus
2008-08-23 12:42 . 2008-08-23 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-08-22 16:07 . 2008-08-22 16:48 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\Apple Computer
2008-08-22 16:06 . 2008-08-22 16:06 <DIR> d-------- C:\Program Files\iTunes
2008-08-22 16:06 . 2008-08-22 16:06 <DIR> d-------- C:\Program Files\iPod
2008-08-22 16:06 . 2008-08-22 16:06 <DIR> d-------- C:\Program Files\Bonjour
2008-08-22 16:05 . 2008-08-22 16:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-22 16:05 . 2008-08-22 16:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-22 16:05 . 2008-08-22 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-22 16:05 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-22 16:02 . 2008-04-13 17:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-22 16:02 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-22 16:02 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-22 16:02 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-20 09:09 . 2008-08-20 09:27 40 --a------ C:\WINDOWS\opt_1440.ini
2008-08-20 09:09 . 2008-08-20 09:09 0 --a------ C:\WINDOWS\Brohl144.ini
2008-08-20 09:06 . 2002-02-22 19:43 139,264 --a------ C:\WINDOWS\brunin144.dll
2008-08-20 09:06 . 2008-08-20 10:17 11,568 --a------ C:\WINDOWS\HL-1440.INI
2008-08-16 19:08 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-16 19:07 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-11 11:41 . 2008-08-11 11:41 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\Arcsoft
2008-08-11 11:26 . 2008-08-11 11:26 <DIR> d-------- C:\Documents and Settings\Irene\Application Data\SupportSoft
2008-08-11 10:46 . 2008-08-11 10:46 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-08-11 10:46 . 2008-08-11 10:46 <DIR> d-------- C:\Program Files\chatsupport.palm.com
2008-08-07 05:20 . 2008-08-07 05:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 13:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 19:59 --------- d-----w C:\Documents and Settings\Irene\Application Data\Webroot
2008-08-26 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 02:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-23 20:32 --------- d-----w C:\Program Files\Stanford GSB Alumni Toolbar
2008-08-23 19:11 --------- d-----w C:\Program Files\Brownie
2008-08-22 23:06 --------- d-----w C:\Program Files\QuickTime
2008-08-20 16:26 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 16:06 --------- d-----w C:\Program Files\Brother
2008-08-14 15:10 --------- d-----w C:\Program Files\Java
2008-08-11 17:25 --------- d-----w C:\Program Files\palmOne
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-31_14.57.52.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 05:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 05:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3753B44D-E02F-48B7-81B1-19A377BCCB63}]
2008-08-24 23:00 299008 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-27 59040]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-20 100056]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2005-05-26 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2005-05-26 868352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

C:\Documents and Settings\Irene\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avicodec]
2008-08-24 23:00 299008 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 12:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mjpg"= mcmjpg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 05:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 14:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 05:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-18 10:55 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 07:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 08:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-05-09 06:25 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2005-05-26 06:05 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 15:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-06 23:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 6097]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 46112]
R2 tgsrvc_chatsupport.palm.com;SupportSoft Repair Service (chatsupport.palm.com);C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe [2008-05-21 148768]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 35824]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 299923]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Irene\Application Data\Mozilla\Firefox\Profiles\esqxwlpp.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 11:37:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll
.
Completion time: 2008-09-03 11:39:50
ComboFix-quarantined-files.txt 2008-09-03 18:39:41
ComboFix2.txt 2008-09-03 00:41:11
ComboFix3.txt 2008-08-31 22:01:56

Pre-Run: 19,292,348,416 bytes free
Post-Run: 19,276,406,784 bytes free

209 --- E O F --- 2008-08-20 16:26:27


And finally, HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:04, on 9/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Norton\Nav\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Norton\Nav\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://YAHOO.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton\Nav\NavShExt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122687138953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130184180171
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Norton\Nav\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Norton\Nav\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Norton\Nav\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9664 bytes




Thanks again!
Also, as of the last step taken, I no longer perceive any noticeable symptoms of malware infection in the operation of the computer in question.
Thank you very much for all of your help.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 03 September 2008 - 10:26 PM

That's great to hear.. However, your log is not clean yet.. you are getting reinfected on 1st of September (morning).. Do you download or surfing something during that time?..

Lets do this.. :thumbsup:


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\igrqbogb.dll
C:\WINDOWS\system32\aluocs.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\avicodec.dll

Folder::
C:\Program Files\AskSBar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3753B44D-E02F-48B7-81B1-19A377BCCB63}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 08 September 2008 - 11:45 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users