Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis and ComboFix


  • This topic is locked This topic is locked
1 reply to this topic

#1 crazyme

crazyme

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 15 October 2008 - 10:05 PM

Hi all, I had rebooted my pc and spybot teatimer stated the following message

10/15/2008 10:07:12 PM Encountered and terminated CoolWWWSearch.Feat2Installer in E:\WINDOWS\system32\LEXBCES.EXE!

So I ran spybot and it didn't find anything. I then ran SuperAntiSpyware and it found something, but it wasn't related to the CoolWWWSearch. So I checked my hijackthis log on their website and I didn't see anything out of the ordinary. So then I ran combofix since I saw another forum that had said it would removed any CoolWWWSearch variants and here are the logs below. I posted both the combofix and hijackthis log files. Also, combofix took a while after it rebooted to make the log file. I saw some weird file names running in the background while this was going on. They are not running anymore. One last thing is that spybot started asking me some weird stuff and it was asking me to delete some entries and what not. I said no to most of it since I wasn't sure as to what they were. This is what it said:
2008-10-15 22:45:12 Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
2008-10-15 22:45:37 Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") added in Browser page!
2008-10-15 22:45:42 Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") added in Browser page!
2008-10-15 22:45:45 Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") added in Browser page!
2008-10-15 22:45:49 Denied (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
2008-10-15 22:45:54 Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
2008-10-15 22:46:26 Denied (based on user decision) value "UserInit" (new data: "E:\WINDOWS\system32\userinit.exe,") changed in Winlogon!


Your help is appreciated. Thanks!

ComboFix 08-10-15.05 - D 2008-10-15 22:32:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -4:00]
Running from: E:\Documents and Settings\D\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\smbols~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ E:\Program Files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ E:\Program Files\ACMonitor_X73.exe
2008-10-06 21:53 . 2008-10-06 21:53 <DIR> d-------- E:\Program Files\Viewpoint
2008-10-06 21:53 . 2008-10-06 21:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\acccore
2008-10-06 21:52 . 2008-10-06 21:53 <DIR> d-------- E:\Program Files\AIM6
2008-10-04 15:14 . 2008-10-04 15:14 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-10-04 15:14 . 2008-10-04 15:14 1,409 --a------ E:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 02:38 --------- d-----w E:\Program Files\PeerGuardian2
2008-10-16 02:12 --------- d-----w E:\Program Files\LexmarkX73
2008-10-16 02:06 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-10-16 02:03 --------- d-----w E:\Documents and Settings\D\Application Data\Azureus
2008-10-16 01:23 --------- d-----w E:\Program Files\SUPERAntiSpyware
2008-10-15 22:47 --------- d-----w E:\Program Files\Record
2008-10-14 23:45 --------- d-----w E:\Documents and Settings\D\Application Data\Move Networks
2008-10-07 01:54 --------- d-----w E:\Documents and Settings\All Users\Application Data\AOL OCP
2008-10-07 01:53 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-07 01:52 --------- d-----w E:\Program Files\Common Files\AOL
2008-09-29 23:36 --------- d-----w E:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-15 23:42 --------- d-----w E:\Program Files\ConvertHelper
2008-09-15 11:57 1,846,016 ----a-w E:\WINDOWS\system32\win32k.sys
2008-09-10 22:34 --------- d-----w E:\Program Files\McAfee
2008-09-02 21:25 --------- d-----w E:\Documents and Settings\D\Application Data\SiteAdvisor
2008-09-01 04:55 --------- d-----w E:\Documents and Settings\D\Application Data\SUPERAntiSpyware.com
2008-09-01 04:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-01 04:54 --------- d-----w E:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 04:53 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-09-01 04:53 --------- d-----w E:\Program Files\SpywareBlaster
2008-08-28 10:04 333,056 ----a-w E:\WINDOWS\system32\drivers\srv.sys
2008-08-27 22:54 --------- d-----w E:\Documents and Settings\LocalService\Application Data\SACore
2008-08-27 22:53 --------- d-----w E:\Program Files\Common Files\McAfee
2008-08-27 22:53 --------- d-----w E:\Documents and Settings\All Users\Application Data\McAfee
2008-08-27 02:16 --------- d-----w E:\Documents and Settings\D\Application Data\vlc
2008-08-26 07:24 826,368 ----a-w E:\WINDOWS\system32\wininet.dll
2008-08-16 16:13 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 10:00 2,180,352 ----a-w E:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w E:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 02:10 94,920 ----a-w E:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w E:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w E:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w E:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w E:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w E:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w E:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w E:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w E:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w E:\WINDOWS\system32\muweb.dll
2008-01-07 00:05 425 ----a-w E:\Program Files\Common Files\AnswerWorks 5.0
2008-01-04 21:48 256 ----a-w E:\Documents and Settings\D\pool.bin
2006-08-06 12:44 72 ----a-w E:\Program Files\becvapgc.txt
2005-05-30 20:05 6,030 ----a-w E:\Program Files\DeIsL1.isu
2004-05-12 23:56 54,784 ----a-w E:\Program Files\Asmi8705.dll
2004-05-10 15:15 58,880 ----a-w E:\Program Files\Asmi697h.dll
2004-04-15 21:31 84,992 ----a-w E:\Program Files\coDmi.dll
2004-04-15 20:58 57,344 ----a-w E:\Program Files\AsmiEHFA.dll
2004-04-08 18:02 58,880 ----a-w E:\Program Files\AsmiTHFA.dll
2004-04-02 19:34 37,888 ----a-w E:\Program Files\AsmiEnum.dll
2004-03-16 20:17 28,160 ----a-w E:\Program Files\AsmiSpch.dll
2003-12-09 22:25 35,328 ----a-w E:\Program Files\AsGetDmi.dll
2003-12-01 20:23 54,784 ----a-w E:\Program Files\Asmi8712.dll
2003-11-28 15:53 59,392 ----a-w E:\Program Files\Asmi627h.dll
2003-11-11 21:48 683 ----a-w E:\Program Files\AsusPb.ini
2003-09-23 15:44 535,040 ----a-w E:\Program Files\COLM7578.DLL
2003-07-16 23:28 62,976 ----a-w E:\Program Files\AsmiAsus.dll
2003-07-15 14:42 56,832 ----a-w E:\Program Files\Asmi366.dll
2003-05-29 02:06 59,904 ----a-w E:\Program Files\AsmiM192.dll
2003-05-29 00:25 31,232 ----a-w E:\Program Files\AsmiIntl.dll
2003-05-13 19:40 31,232 ----a-w E:\Program Files\AsmiHwIo.dll
2003-04-18 00:36 29,184 ----a-w E:\Program Files\AsmiNvi2.dll
2003-03-25 17:45 37,888 ----a-w E:\Program Files\ASMIDMI.DLL
2002-12-06 20:07 617,984 ----a-w E:\Program Files\AsusProb.exe
2002-11-28 00:52 29,696 ----a-w E:\Program Files\AsmiVia.dll
2002-09-11 20:38 52,224 ----a-w E:\Program Files\ASUS.DLL
2002-07-23 00:57 53,760 ----a-w E:\Program Files\AsmiAspm.dll
2001-11-19 19:55 31,232 ----a-w E:\Program Files\ASMISIS.DLL
2001-11-14 15:28 29,184 ----a-w E:\Program Files\AsmiIntO.dll
2001-10-12 19:35 29,184 ----a-w E:\Program Files\AsmiAmd.dll
2001-09-26 15:26 29,184 ----a-w E:\Program Files\AsmiNvid.dll
2001-09-10 15:28 90,624 ----a-w E:\Program Files\CODISK.DLL
2001-08-30 19:19 54,272 ----a-w E:\Program Files\Asmi630E.dll
2001-08-16 19:30 31,232 ----a-w E:\Program Files\ASMIALI.DLL
2001-07-26 20:58 47 ----a-w E:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w E:\Program Files\OSLO3071b2.USB
2001-05-08 20:36 114,688 ----a-w E:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w E:\Program Files\gtx73.ini
2001-01-04 18:56 55,296 ----a-w E:\Program Files\Asmi686A.dll
2000-10-03 18:20 27,648 ----a-w E:\Program Files\ASMICTRL.DLL
2000-09-08 01:17 54,784 ----a-w E:\Program Files\Asmi5953.dll
2000-06-14 22:28 31,232 ----a-w E:\Program Files\ASMIAHD.DLL
2000-05-19 01:02 55,808 ----a-w E:\Program Files\ASMILM78.DLL
1999-11-22 22:24 15,872 ----a-w E:\Program Files\RECHI.DLL
1999-11-22 22:23 18,944 ----a-w E:\Program Files\REENG.DLL
1999-08-21 15:29 118,784 ----a-w E:\Program Files\Cooling.exe
1999-08-21 15:21 7,869 ----a-w E:\Program Files\IDLEHLT.VXD
1999-05-12 15:56 55,808 ----a-w E:\Program Files\ASMI5952.DLL
1999-04-28 00:15 16,896 ----a-w E:\Program Files\COLMICO.DLL
1999-03-05 13:53 57,344 ----a-w E:\Program Files\ASMI5951.DLL
1999-03-05 13:49 57,344 ----a-w E:\Program Files\ASMI782D.DLL
1999-03-05 13:48 55,808 ----a-w E:\Program Files\ASMI781D.DLL
1999-01-14 14:47 33,280 ----a-w E:\Program Files\ASUSAHD.DLL
1998-11-20 06:57 18,944 ----a-w E:\Program Files\DISKICO.DLL
1998-10-27 21:06 28,160 ----a-w E:\Program Files\ICON.DLL
1998-10-20 08:18 21,504 ----a-w E:\Program Files\PROBUNIS.DLL
1998-10-12 17:08 1,394 ----a-w E:\Program Files\ASUS.AHD
1998-09-22 14:00 18,944 ----a-w E:\Program Files\RESOURCE.DLL
1998-09-19 10:46 16,896 ----a-w E:\Program Files\MAINICON.DLL
1998-08-20 06:42 99,840 ----a-w E:\Program Files\STRTC.DLL
1998-08-20 06:42 9,216 ----a-w E:\Program Files\STRENG.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"!1_ProcessGuard_Startup"="E:\Program Files\ProcessGuard\procguard.exe" [2006-08-09 269332]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [2003-10-21 2334792]
"DeadAIM"="E:\PROGRA~1\AIM\\DeadAIM.ocm" [2003-03-03 144896]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ASUS Probe"="e:\program files\AsusProb.exe" [2002-12-06 617984]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2005-06-19 98304]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MSConfig"="E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"!1_pgaccount"="E:\Program Files\ProcessGuard\pgaccount.exe" [2006-08-09 120832]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 E:\WINDOWS\SOUNDMAN.EXE]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "E:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=E:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=E:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=E:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=E:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Post-itŪ Software Notes Lite.lnk
backup=E:\WINDOWS\pss\Post-itŪ Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^D^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=E:\Documents and Settings\D\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=E:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 E:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-15 21:23 1576176 E:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\AIM\\aim.exe"=
"E:\\Documents and Settings\\D\\Desktop\\Flash.FXP_2.1.Build.924\\FlashFXP.exe"=
"E:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"E:\\Documents and Settings\\D\\Desktop\\Downloads\\Qwix101\\Qwix.exe"=
"E:\\Program Files\\g3torrent\\g3torrent.exe"=
"E:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"E:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\Program Files\\DC++\\DCPlusPlus.exe"=
"E:\\Program Files\\Bluetack\\Blocklist Manager\\BlockMgr.exe"=
"E:\\Program Files\\Azureus\\Azureus.exe"=
"E:\\Documents and Settings\\D\\Desktop\\Charon\\Charon.exe"=
"E:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\StubInstaller.exe"=
"C:\\Documents and Settings\\User\\Desktop\\Downloads\\Qwix101\\Qwix.exe"=
"D:\\Documents and Settings\\Dill\\Desktop\\Downloads\\Qwix101\\Qwix.exe"=
"E:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"E:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"E:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"E:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"D:\\Excursion9.5\\mIRC.ExCurSioN.exe"=
"E:\\Program Files\\AIM6\\aim6.exe"=

R0 d344bus;d344bus;E:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 137216]
R0 d344prt;d344prt;E:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 5248]
R1 aswSP;avast! Self Protection;E:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;E:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 DCSPGSRV;DiamondCS ProcessGuard Service v3.410;E:\Program Files\ProcessGuard\dcsuserprot.exe [2006-08-10 31744]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;E:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-09-08 198944]
R2 procguard;procguard;E:\WINDOWS\system32\drivers\procguard.sys [2006-08-09 26688]
R2 Viewpoint Manager Service;Viewpoint Manager Service;E:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 USBZC0301;USB Web Camera;E:\WINDOWS\system32\Drivers\usbcam.sys [2002-04-24 111272]
S3 UltraMonMirror;UltraMonMirror;E:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [ ]
S3 USB28xxBGA;PCTV 330e/8x0e Device;E:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-08-07 476288]
S3 USB28xxOEM;USB 28xx OEM Filter;E:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-08-07 38656]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2d21cb0-a844-11dc-90d4-00e07dce26b5}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 E:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- E:\Documents and Settings\D\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []

2008-10-14 E:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-PrinTray - E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-Run-<NO NAME> - (no file)
MSConfigStartUp-Acrobat Assistant 8 - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-ares - E:\Program Files\Ares Lite Edition\Ares.exe
MSConfigStartUp-ccApp - E:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-E06AXLRD_-1331953546 - E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE
MSConfigStartUp-E06AXLRD_701703437 - E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE
MSConfigStartUp-Google Update - E:\Documents and Settings\D\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-Yahoo! Pager - E:\Program Files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-Zone Labs Client - E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\D\Application Data\Mozilla\Firefox\Profiles\osas254s.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - espn.com
FF -: plugin - E:\Documents and Settings\D\Application Data\Mozilla\Firefox\Profiles\osas254s.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - E:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - E:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - E:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - E:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - E:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - E:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 22:40:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
!1_pgaccount = "E:\Program Files\ProcessGuard\pgaccount.exe"???? ?????? ? ????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\Explorer.EXE
-> E:\DOCUME~1\D\LOCALS~1\Temp\catchme.dll
-> E:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Sygate\SPF\Smc.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\system32\taskmgr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2008-10-15 22:54:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 02:53:42
ComboFix2.txt 2006-08-10 20:32:47

Pre-Run: 2,363,686,912 bytes free
Post-Run: 2,469,134,336 bytes free

291 --- E O F --- 2008-10-15 22:14:49

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:02:36 PM, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\ProcessGuard\pgaccount.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\ProcessGuard\procguard.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\ProcessGuard\dcsuserprot.exe
E:\Program Files\McAfee\SiteAdvisor\McSACore.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\WINDOWS\system32\notepad.exe
E:\Documents and Settings\D\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - e:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - e:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ASUS Probe] e:\program files\AsusProb.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!1_pgaccount] "E:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "E:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://learning.wachovia.com//wb_content/a...gin/awswaxf.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154886465015
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - e:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS ProcessGuard Service v3.410 (DCSPGSRV) - DiamondCS - E:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - E:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7442 bytes

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:37 AM

Posted 15 October 2008 - 10:15 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

I will have a moderator close this topic.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users