Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

topCON's sick laptop


  • This topic is locked This topic is locked
8 replies to this topic

#1 topCON

topCON

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 18 October 2008 - 04:01 PM

OK,

This all started immediately after finishing an online purchase with my debit card through paypal. As soon as the purchase was done a window popped up from bizrate.com wanting me to do an online purchase survey and get a $100 rebate, I figured it was from the website I had just purchased from so i started filling it out. After getting 6 pages into the survey and it was wanting me to buy stuff to qualify for the "free survey" I figured it was a scam so I closed the window. Immediately after that my computer shut down and restarted all by itself. Then I started seeing a small red button with a white "X" in the task bar with the message "Windows has detected spyware infection!" blah blah blah. I knew better than to click on that so I try to go to task manager and see where this is coming from but I find "Task manager has been disabled by the Administrator" so I googled that and found how to go into regedit and turn my task manager back on. After that I find "brastk.exe" running and I shut it down and the windows message goes away.

I've read the "Preparation Guide For Use Before posting a hijackthis log" but I have another problem. I cant get my antivirus (AVG FREE) or Spybot S&D or Adaware or anything to scan my system. Every time I start a scan my CPU goes straight to %100 for a few seconds then the laptop shuts down, and yes I've tried in safemode also with same result. The one thing I've got to run a scan and actually remove what it found was XoftSpySE v4.33. I also went into msconfig and changed my startup programs to keep all the extra crap from starting on startup and now the brastk doesn't start but I dont know if it's still there or not. The little red circle with the white "X" doesn't show up now and the message is gone but I'm scared that something is still wrong since I cant get anything to scan now without locking up, never had that prob before this either.

ANYHOW...here's my log and this is my first time using hijackthis....THANKS IN ADVANCE !!


Oh yea, I'm using a Compaq Presario 2100 laptop with AMD Athlon XP-M 2800+ 2.12 GHZ and 448MB RAM and Windows XP Pro SP2 and anything else you need to know I'll find out. I should also add that I am limited to dialup connection when at home.










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:26 PM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bloomington.craigslist.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bloomington.craigslist.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bloomington.craigslist.org/
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B808BFDF-04A5-4A7A-A0EA-D871C291A72D}: NameServer = 67.211.172.29 67.211.172.30
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: infowebapl - {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\infowebapl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe

--
End of file - 4212 bytes



__________________________________________________________________
HERE IS THE RSIT LOG ALSO...
--------------------------------------------------------------------------------------------


Logfile of random's system information tool 1.04 (written by random/random)
Run by marlon at 2008-10-18 18:25:37
Microsoft Windows XP Professional Service Pack 2
System drive C: has 4 GB (12%) free of 38 GB
Total RAM: 446 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:45 PM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\marlon\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\marlon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bloomington.craigslist.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bloomington.craigslist.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bloomington.craigslist.org/
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B808BFDF-04A5-4A7A-A0EA-D871C291A72D}: NameServer = 67.211.172.29 67.211.172.30
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: infowebapl - {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\infowebapl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe

--
End of file - 4305 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\ErrorSmart Scheduled Scan.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-05-15 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
C:\WINDOWS\system32\brastk.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoActCom]
C:\WINDOWS\system32\uvchyhaj.exe [2008-10-14 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2008-02-20 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVCHOST.EXE]
C:\WINDOWS\system32\drivers\svchost.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe [2007-04-01 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Wireless Utility.lnk]
C:\PROGRA~1\D-Link\AIRPLU~1\AirPlus.exe [2004-04-06 372736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Netscape Connect Tray Icon.lnk]
C:\PROGRA~1\WMCONN~2\wmtray.exe [2006-02-10 38576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^marlon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2006-02-28 239616]
infowebapl - {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\infowebapl.dll [2008-10-14 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2008-10-18 18:25:37 ----D---- C:\rsit
2008-10-18 16:15:03 ----D---- C:\Program Files\Trend Micro
2008-10-17 13:06:23 ----D---- C:\Program Files\Lavasoft
2008-10-17 13:06:23 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-17 13:05:54 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-17 11:30:29 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
2008-10-17 11:01:58 ----D---- C:\Documents and Settings\marlon\Application Data\BitTorrent
2008-10-17 11:01:46 ----D---- C:\Program Files\DNA
2008-10-17 11:01:46 ----D---- C:\Program Files\BitTorrent
2008-10-17 11:01:46 ----D---- C:\Documents and Settings\marlon\Application Data\DNA
2008-10-16 23:56:28 ----D---- C:\Program Files\XoftSpySE
2008-10-15 19:08:10 ----D---- C:\6c53c4f98667afa7c273678b8b
2008-10-15 18:50:51 ----D---- C:\993e57243754d45807af
2008-10-15 15:26:50 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-10-14 15:17:46 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-14 15:17:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-14 10:43:25 ----A---- C:\WINDOWS\system32\wini104552663.exe
2008-10-14 00:32:40 ----D---- C:\Documents and Settings\All Users\Application Data\abglelgl
2008-10-14 00:31:52 ----D---- C:\Program Files\qsgjurf
2008-10-14 00:31:39 ----D---- C:\WINDOWS\mslagent
2008-10-14 00:31:39 ----A---- C:\WINDOWS\system32\dpcproxy.exe
2008-10-14 00:30:43 ----A---- C:\WINDOWS\system32\uvchyhaj.exe
2008-09-14 10:56:20 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-14 10:56:20 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-14 10:56:20 ----A---- C:\WINDOWS\system32\java.exe
2008-08-02 15:00:52 ----D---- C:\Program Files\Autodesk

======List of files/folders modified in the last 3 months======

2008-10-18 18:25:38 ----D---- C:\WINDOWS\Prefetch
2008-10-18 18:06:09 ----D---- C:\Program Files\Mozilla Firefox
2008-10-18 18:05:33 ----D---- C:\Program Files\mIRC
2008-10-18 18:05:10 ----A---- C:\WINDOWS\ModemLog_Conexant 56K ACLink Modem.txt
2008-10-18 16:15:03 ----RD---- C:\Program Files
2008-10-18 09:27:09 ----D---- C:\WINDOWS\Temp
2008-10-18 01:28:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-17 20:31:36 ----D---- C:\Documents and Settings\marlon\Application Data\U3
2008-10-17 15:27:10 ----D---- C:\WINDOWS\system32
2008-10-17 15:27:09 ----D---- C:\WINDOWS
2008-10-17 15:11:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-17 13:27:00 ----SHD---- C:\WINDOWS\Installer
2008-10-17 13:06:23 ----D---- C:\WINDOWS\system32\drivers
2008-10-17 13:05:54 ----D---- C:\Program Files\Common Files
2008-10-17 11:39:50 ----SD---- C:\WINDOWS\Tasks
2008-10-17 11:30:21 ----SD---- C:\Documents and Settings\marlon\Application Data\Microsoft
2008-10-17 11:30:19 ----D---- C:\WINDOWS\system
2008-10-15 19:58:11 ----SH---- C:\boot.ini
2008-10-15 19:58:11 ----A---- C:\WINDOWS\win.ini
2008-10-15 19:58:11 ----A---- C:\WINDOWS\system.ini
2008-10-15 19:58:10 ----D---- C:\WINDOWS\pss
2008-10-15 19:10:02 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-15 15:45:44 ----D---- C:\WINDOWS\security
2008-10-14 19:44:49 ----SHD---- C:\RECYCLER
2008-10-14 19:05:36 ----D---- C:\Documents and Settings
2008-10-14 10:23:30 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-14 00:32:39 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-14 00:29:35 ----A---- C:\WINDOWS\system32\winlogon.exe
2008-10-14 00:29:35 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-10-07 12:19:42 ----A---- C:\WINDOWS\system32\MRT.exe
2008-09-29 21:21:03 ----D---- C:\Program Files\wmconnecta
2008-09-16 19:42:04 ----D---- C:\Program Files\GlobalMapper8
2008-09-14 10:56:19 ----D---- C:\Program Files\Java
2008-09-08 15:38:46 ----A---- C:\WINDOWS\NeroDigital.ini
2008-07-20 10:02:58 ----D---- C:\Program Files\Adobe
2008-07-19 20:53:16 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2006-02-28 37376]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2008-02-20 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-03 231552]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-05-15 701952]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-03-22 539072]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-03-22 37424]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-03-31 876384]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 16074]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2004-12-15 1038208]
R3 HSFHWALI;HSFHWALI; C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys [2004-12-15 205696]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-02-28 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-02-28 17024]
R3 wandrv;WAN Network Driver; C:\WINDOWS\system32\DRIVERS\wandrv.sys [2001-08-09 22608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 Bridge;MAC Bridge; C:\WINDOWS\system32\DRIVERS\bridge.sys [2006-02-28 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\system32\DRIVERS\bridge.sys [2006-02-28 71552]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-03-22 149123]
S3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2007-03-31 55352]
S3 btwmodem;Bluetooth Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2007-03-22 37280]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-03-22 67960]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter; C:\WINDOWS\system32\DRIVERS\TNET1130.SYS [2004-04-06 386816]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-17 611664]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-05-15 397312]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-04-01 273256]
R2 PackethSvc;Virtual NIC Service; C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 64512]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

Edited by topCON, 18 October 2008 - 05:28 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:24 AM

Posted 19 October 2008 - 01:27 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 topCON

topCON
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 19 October 2008 - 03:06 PM

Thanks for looking,

My problem is that I cant get any antivirus to scan without locking up now. Right before this started I had a fresh scan with AVG that didn't find anything. I uninstalled AVG to download Avast but I'm limited to dialup and the 26mb download takes 5 hours and I've started the download 5 times now and the connection always drops about half way through. Anyhow, I will try to download and scan with the antivirus you recommended and get back to you.

Thanks,
topCON

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:24 AM

Posted 19 October 2008 - 03:12 PM

No matter what dialup you're on.. You really need an Antivirus, because how are you supposed to prevent malware otherwise? :thumbsup:
An Antivirus is not really to remove the malware that is present, but to prevent it in the first place. So without prevention, your system is wideopen for malware anyway.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 topCON

topCON
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 24 October 2008 - 03:52 PM

miekiemoes,

Finally after days of trial/error got my laptop to start scanning completely without locking up. This was possible after running CCleaner and Registry Repair, not sure which one fixed the problem but I can scan now no problem. I installed Avira like you said and ran a full system scan and it found lots of things and deleted them. Here is the log I'm posting now. Thanks again.

topCON




AVIRA LOG:
--------------


Avira AntiVir Personal
Report file date: Thursday, October 23, 2008 13:36

Scanning for 1697668 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Save mode
Username: marlon
Computer name: JOZLAPTOP

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15
ANTIVIR2.VDF : 7.0.7.59 4366336 Bytes 10/19/2008 16:01:56
ANTIVIR3.VDF : 7.0.7.64 54272 Bytes 10/20/2008 16:02:12
Engineversion : 8.2.0.5
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/20/2008 16:03:16
AESCRIPT.DLL : 8.1.1.9 319867 Bytes 10/20/2008 16:03:14
AESCN.DLL : 8.1.1.3 123252 Bytes 10/20/2008 16:03:11
AERDL.DLL : 8.1.1.2 438644 Bytes 10/20/2008 16:03:08
AEPACK.DLL : 8.1.2.4 369014 Bytes 10/20/2008 16:03:01
AEOFFICE.DLL : 8.1.0.28 196987 Bytes 10/20/2008 16:02:55
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 10/20/2008 16:02:50
AEHELP.DLL : 8.1.1.2 115062 Bytes 10/20/2008 16:02:29
AEGEN.DLL : 8.1.0.41 319861 Bytes 10/20/2008 16:02:25
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/20/2008 16:02:21
AECORE.DLL : 8.1.2.6 172406 Bytes 10/20/2008 16:02:17
AEBB.DLL : 8.1.0.3 53618 Bytes 10/20/2008 16:02:14
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 10/20/2008 16:02:13
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: off
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, October 23, 2008 13:36

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '56' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\mIRC\download\XoftSpySE crack\Paretologic 5 in 1 crack\ParetoLogic_Slayer_v1.3.exe
[DETECTION] Contains recognition pattern of the WORM/DoomBot.X worm
[NOTE] The file was deleted!
C:\Program Files\mIRC\download\XoftSpySE433_263-GOOOOOD CRAAAAAACK\Paretologic 5 in 1 crack\ParetoLogic_Slayer_v1.3.exe
[DETECTION] Contains recognition pattern of the WORM/DoomBot.X worm
[NOTE] The file was deleted!
C:\Program Files\XoftSpySE\ParetoLogic_Slayer_v1.3.exe
[DETECTION] Contains recognition pattern of the WORM/DoomBot.X worm
[NOTE] The file was deleted!


End of the scan: Thursday, October 23, 2008 15:38
Used time: 2:01:47 Hour(s)

The scan has been done completely.

3083 Scanning directories
36683 Files were scanned
3 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
3 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
36679 Files not concerned
0 Archives were scanned
1 Warnings
3 Notes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:24 AM

Posted 25 October 2008 - 12:02 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 topCON

topCON
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 25 October 2008 - 10:09 AM

miekiemoes,

Here's the fresh ComboFix and hijackthis logs you requested Thanks.



ComboFix log 10-25-2008
--------------------------------------

ComboFix 08-10-24.02 - marlon 2008-10-25 10:52:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT -4:00]
Running from: C:\Documents and Settings\marlon\Desktop\Avira Antivirus Install File\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wini104552663.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-25 to 2008-10-25 )))))))))))))))))))))))))))))))
.

2008-10-23 19:51 . 2008-10-23 19:51 1,716 -rahs---- C:\WINDOWS\system32\drivers\HP_Presario 2100 (DZ414U)_YN_Pres_QCNF421_E_4_I0024_SHP_VPQ1A84_BKAM1.60_T050504_WXP2_L409_M447_J40_7AMD_8mobile Athlon XP2800+_92.12_1_N100B0020_P104CAC50_Z10B95457_K_A10B95451_U10B95237_G10024336.MRK
2008-10-23 19:37 . 2008-10-23 19:37 52 --a------ C:\WINDOWS\intuprof.ini
2008-10-23 19:36 . 2008-10-23 19:36 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-10-23 19:36 . 2008-10-23 19:37 669 --a------ C:\WINDOWS\QUICKEN.INI
2008-10-23 19:35 . 2008-10-23 19:37 <DIR> d-------- C:\Program Files\Quicken
2008-10-23 19:34 . 2008-10-23 19:34 82 --a------ C:\WINDOWS\QT4HPOT.UNI
2008-10-23 19:30 . 2002-08-15 10:11 151,552 --a------ C:\WINDOWS\system32\HPConfig.exe
2008-10-23 19:30 . 2002-10-07 13:18 73,728 --------- C:\WINDOWS\system32\InstHpci.dll
2008-10-23 19:30 . 2002-07-17 12:09 14,504 --a------ C:\WINDOWS\system32\drivers\hpci.sys
2008-10-23 19:27 . 2008-10-23 19:27 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-10-23 19:26 . 2008-10-23 19:26 <DIR> d-------- C:\Program Files\MUSICMATCH
2008-10-23 19:25 . 2008-10-23 19:25 <DIR> d-------- C:\Program Files\MSN Encarta Plus
2008-10-23 19:25 . 2008-10-23 19:25 <DIR> d-------- C:\Program Files\InterVideo
2008-10-23 19:24 . 2003-05-24 08:16 5,760,056 -ra------ C:\WINDOWS\Amber Flow.bmp
2008-10-23 19:24 . 2002-07-30 10:30 8,040 -ra------ C:\WINDOWS\system32\OEMLogo.bmp
2008-10-23 19:21 . 2002-08-30 07:04 23,570 -ra------ C:\WINDOWS\system32\drivers\atisgkaf.SYS
2008-10-23 19:20 . 2008-10-23 19:20 <DIR> d-------- C:\Program Files\Synaptics
2008-10-23 19:20 . 2008-10-23 19:20 <DIR> d-------- C:\Program Files\NSC
2008-10-23 19:20 . 2003-05-22 17:36 273,072 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-10-23 19:20 . 2003-05-22 18:58 110,592 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-10-23 19:20 . 2003-05-22 17:42 94,208 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-10-23 19:20 . 2003-05-22 18:18 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-10-23 19:20 . 2003-05-22 18:58 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-10-23 19:20 . 2003-05-22 18:09 65,536 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-10-23 19:19 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-10-23 19:19 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-10-23 19:18 . 2003-04-14 22:00 1,171,616 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys
2008-10-23 19:18 . 2003-04-14 22:00 594,960 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-10-23 19:18 . 2003-04-14 22:00 231,867 --a------ C:\WINDOWS\system32\drivers\hpm0850.cty
2008-10-23 19:18 . 2003-04-14 22:00 153,380 --a------ C:\WINDOWS\system32\drivers\HSFHWALI.sys
2008-10-23 19:18 . 2003-04-14 22:00 57,344 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2008-10-23 19:18 . 2003-04-14 22:00 51,712 --a------ C:\WINDOWS\system32\carpdll.dll
2008-10-23 19:18 . 2003-04-14 22:00 34,224 --a------ C:\WINDOWS\system32\drivers\strmdisp.sys
2008-10-23 19:18 . 2003-04-14 22:00 12,074 --a------ C:\WINDOWS\system32\hsfinst.dll
2008-10-23 19:18 . 2003-04-14 22:00 9,855 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-10-23 19:18 . 2003-04-14 22:00 4,608 --a------ C:\WINDOWS\system32\carpserv.exe
2008-10-23 19:17 . 2008-10-23 19:17 <DIR> d-------- C:\Program Files\HP
2008-10-23 19:17 . 2002-01-18 12:00 57,344 --a------ C:\WINDOWS\system32\drivers\Express.sys
2008-10-23 19:13 . 2008-10-23 19:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-10-23 19:12 . 2002-11-05 12:04 291,328 --a------ C:\WINDOWS\system32\drivers\caliaud.sys
2008-10-23 19:12 . 2002-11-05 12:04 244,608 --a------ C:\WINDOWS\system32\drivers\calihal.sys
2008-10-23 19:12 . 2002-11-05 12:04 28,672 --a------ C:\WINDOWS\ciaunwdm.exe
2008-10-23 19:11 . 2008-10-23 19:34 <DIR> d-------- C:\Program Files\HPQ
2008-10-23 19:11 . 2008-10-23 19:11 <DIR> d-------- C:\fe2c209385e4a057ef917ad040c99850
2008-10-23 19:10 . 2008-10-23 19:24 <DIR> d-------- C:\SYSTEM.SAV
2008-10-23 12:20 . 2008-10-23 12:20 <DIR> d-------- C:\Documents and Settings\marlon\Application Data\GlarySoft
2008-10-23 12:09 . 2008-10-23 12:09 <DIR> d-------- C:\Program Files\Glary Registry Repair
2008-10-23 12:07 . 2008-10-23 12:07 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-23 12:07 . 2008-10-23 12:08 <DIR> d-------- C:\Program Files\CCleaner
2008-10-20 11:40 . 2008-10-20 11:40 <DIR> d-------- C:\Program Files\Avira
2008-10-20 11:40 . 2008-10-20 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-18 21:16 . 2008-10-18 21:16 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-10-18 18:25 . 2008-10-18 18:25 <DIR> d-------- C:\rsit
2008-10-18 16:15 . 2008-10-18 16:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-17 13:06 . 2008-10-17 13:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-17 13:06 . 2008-10-17 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-17 13:05 . 2008-10-17 13:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-17 11:30 . 2008-10-17 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-10-16 23:56 . 2008-10-23 15:24 <DIR> d-------- C:\Program Files\XoftSpySE
2008-10-15 19:08 . 2008-10-15 19:08 <DIR> d-------- C:\6c53c4f98667afa7c273678b8b
2008-10-15 18:50 . 2008-10-15 18:50 <DIR> d-------- C:\993e57243754d45807af
2008-10-15 15:26 . 2008-10-15 15:26 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-10-14 19:05 . 2008-10-14 19:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-14 15:17 . 2008-10-14 19:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-14 15:17 . 2008-10-23 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-14 10:57 . 2008-10-14 10:57 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-14 10:56 . 2008-10-14 19:16 <DIR> d-------- C:\Documents and Settings\marlon\.housecall6.6
2008-10-14 00:39 . 2008-10-20 11:23 185 --a------ C:\Documents and Settings\marlon\xrt_log.dat
2008-10-14 00:32 . 2008-10-20 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abglelgl
2008-10-14 00:31 . 2008-10-14 00:31 <DIR> d-------- C:\Program Files\qsgjurf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-25 14:47 --------- d-----w C:\Documents and Settings\marlon\Application Data\U3
2008-10-25 13:19 --------- d-----w C:\Program Files\mIRC
2008-10-24 23:44 --------- d-----w C:\Program Files\GlobalMapper8
2008-10-23 23:36 --------- d-----w C:\Program Files\Java
2008-10-23 23:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-23 23:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-23 23:18 --------- d-----w C:\Program Files\CONEXANT
2008-10-14 04:29 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-14 04:29 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-09-30 01:21 --------- d-----w C:\Program Files\wmconnecta
.

------- Sigcheck -------

2008-10-14 00:29 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
2006-02-28 08:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2008-10-14 00:29 295424 40ffc19a8d4875e9e19cecdc76ef9201 C:\WINDOWS\system32\termsrv.dll
2006-02-28 08:00 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-10-03 106496]
"CARPService"="carpserv.exe" [2003-04-14 C:\WINDOWS\system32\carpserv.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 C:\WINDOWS\system32\Ati2mdxx.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-09-20 36864]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-09-20 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"infowebapl"= {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\infowebapl.dll [2008-10-14 106496]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Wireless Utility.lnk]
backup=C:\WINDOWS\pss\D-Link AirPlus G Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Netscape Connect Tray Icon.lnk]
backup=C:\WINDOWS\pss\Netscape Connect Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^marlon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-06-25 15:30 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-02-20 16:24 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 64512]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 291328]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 28280]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;C:\WINDOWS\system32\DRIVERS\TNET1130.SYS [2004-04-06 386816]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 16074]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 14:59]

2008-10-17 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-10-24 14:59]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MMTray - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-InfoActCom - C:\WINDOWS\system32\uvchyhaj.exe
MSConfigStartUp-SVCHOST - C:\WINDOWS\system32\drivers\svchost.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\marlon\Application Data\Mozilla\Firefox\Profiles\6xnxmidu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://bloomington.craigslist.org/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-25 10:54:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?9?4?4??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-25 10:56:09
ComboFix-quarantined-files.txt 2008-10-25 14:56:04

Pre-Run: 27,973,369,856 bytes free
Post-Run: 27,978,555,392 bytes free

208 --- E O F --- 2007-12-13 20:05:04





















hijackthis log 10-25-2008
------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:56 AM, on 10/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bloomington.craigslist.org/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: infowebapl - {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\infowebapl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe

--
End of file - 6575 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:24 AM

Posted 25 October 2008 - 10:41 AM

Hi,

This looks like your Winlogon.exe is also patched/infected according to the MD5 check comparison: http://www.virustotal.com/ko/analisis/dfb0...ec1c27511ca6a0d - the same applies for the termsrv.dll file.
However... This *could be a false positive as well. In anyway, either if it's a false positive or infected, in your case, it would be stupid to replace it with a non patched copy manually, with some risks, while you need to update to Service Pack 3 anyway. Installing SP3 will overwrite the infected files anyway with a clean copy.

But before you update to Service Pack 3, perform next please..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Documents and Settings\marlon\xrt_log.dat
Folder::
C:\Documents and Settings\All Users\Application Data\abglelgl
C:\Program Files\qsgjurf
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"infowebapl"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:24 AM

Posted 05 November 2008 - 10:55 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users