Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Infected with Facegame, Gool, & others


  • This topic is locked This topic is locked
52 replies to this topic

#1 DP7

DP7

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 03 November 2008 - 11:58 AM

So my computer was badly infected, to the point where my task manger had been disabled and my background was gone, etc. Using Spybot, SuperAntiSpyware, and MalwareBites Anti-Malware (and some others) I got it back to about 90 - 95%, but I'm still having issues. Among other things I'm getting "Bad Image" errors, trying to visit sites on IE I get redirected to all sorts of other sites, some sites don't even register on Firefox, and I'm getting "Error 216 at..." messages.

Now according to scans with Security Task Manager and Hackthis I already see that I'm still infected with Facegame, Gool, and ctfmon (I also have somethere that says "Fumo," not sure what that is) in my startup, and I know there are some things that run on startup that I can get rid of. I want to run SDFix, but I figured before I do anything else I'd get some advise/opinion on what's going on with my system. Here's my Hackthis log, thanks.

Oh, btw, I followed all the steps suggested I do before posting here, so I now have Facegame & Gool blocked by the Sygate Firewall.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:35 PM, on 11/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
E:\Program Files\3.0\Apps\apdproxy.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\StarzPlay\StarzPlayTray.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Akil\Application Data\Facegame\Facegame.exe
C:\Documents and Settings\Akil\Application Data\Gool\Gool.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 1\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Akil\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {6EBCF644-2B1A-46DE-B01C-CDCDF5726A17} - C:\WINDOWS\system32\cliconf.dll
O2 - BHO: (no name) - {B359B1A0-972A-4ECE-BC3E-8E4A166E896A} - C:\WINDOWS\system32\cfgbken.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - (no file)
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: dkwqgnbe - {0E3A3463-7B9C-44E9-B0BF-D71133330658} - C:\WINDOWS\dkwqgnbe.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [StarzTray] C:\Program Files\StarzPlay\StarzPlayTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
O4 - HKCU\..\Run: [Facegame] "C:\Documents and Settings\Akil\Application Data\Facegame\Facegame.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Akil\Application Data\Gool\Gool.exe"
O4 - HKCU\..\Run: [fumo] C:\Program Files\InetGet2\stub109_4_0_4_0.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: msupd_0810_upd281748.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 12975 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 03 November 2008 - 06:06 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 04 November 2008 - 04:03 PM

Still could not send this from my desktop for some reason. But it looks like this may have worked, I see a lot of my desktop icons have been restored. Here's the log, and THANKS!!!!

ComboFix 08-11-04.02 - Akil 2008-11-04 15:26:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1751 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Akil\Application Data\Facegame
c:\documents and settings\Akil\Application Data\Facegame\Facegame.exe
c:\documents and settings\Akil\Application Data\Gool
c:\documents and settings\Akil\Application Data\Gool\Gool.exe
c:\documents and settings\Akil\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Akil\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Akil\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\dkwqgnbe.dll
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\msansspc.dll
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSbubx.log
c:\windows\system32\TDSSkkdu.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\tdssserf1.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\wini10803.exe
c:\windows\system32\wpv742.cpx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-04 10:58 . 2004-08-04 05:00 93,184 --a------ c:\windows\system32\cryptu.dll
2008-11-03 19:10 . 2004-08-04 05:00 93,184 --a------ c:\windows\system32\cnvfa.dll
2008-11-03 03:09 . 2008-11-03 03:09 <DIR> d-------- c:\program files\MSXML 6.0
2008-11-03 03:09 . 2008-11-03 03:09 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-03 03:07 . 2008-11-03 03:07 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-02 16:51 . 2008-06-20 05:45 360,320 --------- c:\windows\system32\dllcache\tcpip.sys
2008-11-02 16:51 . 2008-06-20 12:41 245,248 --------- c:\windows\system32\dllcache\mswsock.dll
2008-11-02 16:51 . 2008-06-20 05:44 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-11-02 16:51 . 2006-08-16 06:58 100,352 --------- c:\windows\system32\dllcache\6to4svc.dll
2008-11-02 16:42 . 2008-11-03 03:11 1,374 --a------ c:\windows\imsins.BAK
2008-11-02 16:20 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-02 16:20 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-11-02 16:15 . 2008-04-11 13:50 683,520 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-11-02 16:15 . 2008-05-08 07:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-11-01 23:08 . 2008-11-01 23:08 <DIR> d-------- c:\program files\Sygate
2008-11-01 23:08 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-01 23:08 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-01 23:08 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-10-31 20:33 . 2008-10-31 20:40 <DIR> d-------- c:\windows\BDOSCAN8
2008-10-31 18:42 . 2008-10-31 18:42 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-10-31 18:41 . 2008-10-31 20:32 <DIR> d-------- c:\documents and settings\Akil\.housecall6.6
2008-10-31 16:05 . 2008-10-31 16:05 <DIR> d-------- c:\program files\Lavasoft
2008-10-31 16:05 . 2008-10-31 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 09:51 . 2000-03-23 12:50 446,464 -ra------ c:\windows\system32\hhactivex.dll
2008-10-31 09:51 . 1999-05-07 13:24 414,944 --a------ c:\windows\system32\COMCT332.OCX
2008-10-31 09:51 . 1998-11-10 10:46 328,480 --a------ c:\windows\system32\ssa3d30.ocx
2008-10-31 09:51 . 2002-01-08 17:00 176,128 --a------ c:\windows\system32\RcdScan.dll
2008-10-31 09:51 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2008-10-31 09:51 . 1998-06-17 23:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-10-31 09:51 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt
2008-10-30 09:59 . 2008-10-30 09:59 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-29 12:42 . 2004-08-04 05:00 93,184 --a------ c:\windows\system32\cliconf.dll
2008-10-28 20:52 . 2004-08-04 05:00 93,184 --a------ c:\windows\system32\cfgbken.dll
2008-10-27 18:43 . 2008-10-27 18:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-27 10:48 . 2008-11-04 15:12 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 1
2008-10-26 17:53 . 2008-10-26 17:53 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-10-25 21:17 . 2008-10-30 13:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-25 20:55 . 2008-11-04 10:19 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-25 20:55 . 2008-10-25 20:55 <DIR> d-------- c:\program files\AVG
2008-10-25 20:55 . 2008-10-26 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-25 20:55 . 2008-10-27 09:15 <DIR> d-------- c:\documents and settings\Akil\Application Data\AVGTOOLBAR
2008-10-25 20:55 . 2008-10-25 20:55 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-25 20:55 . 2008-10-25 20:55 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-25 17:27 . 2008-10-25 20:36 <DIR> d-------- c:\documents and settings\Akil\Application Data\GetModule
2008-10-22 13:31 . 2008-10-22 13:31 <DIR> d-------- c:\program files\iPod
2008-10-22 13:31 . 2008-10-22 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-09 08:48 . 2008-10-09 08:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-09 01:28 . 2008-10-09 01:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Verizon
2008-10-09 00:21 . 2008-10-25 18:24 <DIR> d-------- c:\documents and settings\Guest\Application Data\Verizon
2008-10-09 00:20 . 2008-10-25 18:24 <DIR> d-------- c:\documents and settings\Amir\Application Data\Verizon
2008-10-05 14:14 . 2008-10-05 14:14 <DIR> d-------- c:\documents and settings\Akil\Application Data\Malwarebytes
2008-10-05 14:13 . 2008-10-12 12:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-05 14:13 . 2008-10-05 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-05 14:13 . 2008-09-07 23:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-05 14:13 . 2008-09-07 23:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-05 11:14 . 2008-10-05 11:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-05 11:13 . 2005-04-19 23:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-10-05 11:13 . 2005-04-19 23:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-10-05 11:13 . 2005-04-19 23:40 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-10-05 11:13 . 2008-10-25 20:55 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-10-31 21:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-31 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-10-31 14:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 14:50 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-31 05:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-30 23:06 --------- d-----w c:\program files\Verizon
2008-10-27 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 02:31 --------- d-----w c:\program files\VirtualDJ
2008-10-26 01:34 --------- d-----w c:\program files\Common Files\Authentium
2008-10-25 23:24 --------- d-----w c:\documents and settings\Akil\Application Data\Verizon
2008-10-21 13:38 --------- d-----w c:\program files\Security Task Manager
2008-10-11 22:19 --------- d-----w c:\documents and settings\Akil\Application Data\Spybot - Search & Destroy
2008-10-09 13:52 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-09 13:51 --------- d-----w c:\program files\Java
2008-10-09 06:29 --------- d-----w c:\documents and settings\Akil\Application Data\SUPERAntiSpyware.com
2008-10-09 04:53 --------- d-----w c:\program files\Juno
2008-10-02 06:49 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2008-10-01 20:46 --------- d-----w c:\program files\BitComet
2008-09-28 18:30 --------- d-----w c:\program files\Picasa2
2008-09-27 01:03 --------- d-----w c:\program files\Common Files\SupportSoft
2008-09-27 00:14 --------- d--h--r c:\documents and settings\Akil\Application Data\yahoo!
2008-09-27 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-09-26 23:55 --------- d-----w c:\program files\Yahoo!
2008-09-26 23:53 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-09-26 19:46 --------- d-----w c:\program files\QuickTime
2008-09-26 19:46 --------- d-----w c:\program files\Bonjour
2008-09-26 19:45 --------- d-----w c:\program files\Common Files\Apple
2008-09-26 19:44 --------- d-----w c:\program files\Apple Software Update
2008-09-26 19:29 --------- d-----w c:\program files\StarzPlay
2008-09-26 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\StarzEntertainment
2008-09-26 14:22 --------- d-----w c:\documents and settings\Akil\Application Data\Motive
2008-09-26 08:20 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-26 05:29 --------- d-----w c:\program files\Common Files\Motive
2008-09-26 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-09-26 05:28 --------- d-----w c:\program files\vol_toolbar
2008-09-26 05:28 --------- d-----w c:\documents and settings\Akil\Application Data\vol_toolbar
2008-09-26 04:24 --------- d-----w c:\program files\VUGames
2008-09-20 22:41 --------- d-----w c:\program files\Connection Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-09-13 17:10 694 ----a-w c:\program files\Shortcut to iTunes.lnk
2007-09-13 17:10 694 ----a-w c:\program files\Shortcut (2) to iTunes.lnk
2006-12-12 15:31 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-02-08 19:35 14,137,856 ----a-w c:\program files\iTunes.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EBCF644-2B1A-46DE-B01C-CDCDF5726A17}]
2004-08-04 05:00 93184 --a------ c:\windows\system32\cliconf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B359B1A0-972A-4ECE-BC3E-8E4A166E896A}]
2004-08-04 05:00 93184 --a------ c:\windows\system32\cfgbken.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Adobe Photo Downloader"="e:\program files\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Adobe Reader Speed Launcher"="e:\program files\Reader\Reader_sl.exe" [2008-01-11 39792]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 2065648]
"StarzTray"="c:\program files\StarzPlay\StarzPlayTray.exe" [2008-07-08 505112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 1537648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-09 136600]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-25 1234712]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SMSERIAL"="sm56hlpr.exe" [2004-01-28 c:\windows\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
msupd_0810_upd281748.exe [2008-10-28 120832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\JcServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Program Files\\Hotsync.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlay.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlayTray.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlayPlayer.exe"=
"c:\\Program Files\\StarzPlay\\StarzUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17033:TCP"= 17033:TCP:*:Disabled:BitComet 17033 TCP
"17033:UDP"= 17033:UDP:*:Disabled:BitComet 17033 UDP
"25108:TCP"= 25108:TCP:BitComet 25108 TCP
"25108:UDP"= 25108:UDP:BitComet 25108 UDP

R0 jzukhfmh;jzukhfmh;c:\windows\system32\drivers\jzukhfmh.sys [2004-08-04 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-25 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-25 231704]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-09 147456]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-05-15 21920]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a74be49-8571-11db-817a-0013203012e1}]
\Shell\Auto\command - E:\Setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - d:\superantispyware\SUPERANTISPYWARE.EXE
HKCU-Run-Facegame - c:\documents and settings\Akil\Application Data\Facegame\Facegame.exe
HKCU-Run-fumo - c:\program files\InetGet2\stub109_4_0_4_0.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Akil\Application Data\Mozilla\Firefox\Profiles\zs3rbevt.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox 3.1 Beta 1\plugins\npnul32.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - e:\program files\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 15:38:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\37add5b3-4b5f-4a52-bf48-711dcf062a52.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-04 15:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-04 20:42:18

Pre-Run: 61,318,922,240 bytes free
Post-Run: 61,295,566,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

301 --- E O F --- 2008-11-03 08:11:47

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 04 November 2008 - 04:35 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\cliconf.dll
c:\windows\system32\cfgbken.dll
c:\windows\system32\cryptu.dll
c:\windows\system32\cnvfa.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EBCF644-2B1A-46DE-B01C-CDCDF5726A17}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B359B1A0-972A-4ECE-BC3E-8E4A166E896A}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================


Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 November 2008 - 03:21 AM

Kaspersky Log:
file:///C:/Documents%20and%20Settings/Akil/Desktop/Viral/Kaspersky%20Log.html


Wednesday, November 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 04, 2008 21:17:22
Records in database: 1369680
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 116282
Threat name 14
Infected objects 19
Suspicious objects 0
Duration of the scan 02:11:59

File name Threat name Threats count
C:\Documents and Settings\Akil\.housecall6.6\Quarantine\155[1].net.bac_a02776 Infected: Trojan-Downloader.Win32.Agent.aiyu 1
C:\Documents and Settings\Akil\.housecall6.6\Quarantine\dw22.exe.bac_a02776 Infected: not-a-virus:AdWare.Win32.Gator.3013 1
C:\Documents and Settings\Akil\.housecall6.6\Quarantine\Facegame.exe.bac_a02776 Infected: Trojan.Win32.Agent.ajdu 1
C:\Documents and Settings\Akil\.housecall6.6\Quarantine\wpv504.cpx.bac_a02776 Infected: Trojan.Win32.Agent.akgc 1
C:\Documents and Settings\Akil\.housecall6.6\Quarantine\wpv964.cpx.bac_a02776 Infected: Trojan.Win32.Agent.akgc 1
C:\Documents and Settings\Akil\Desktop\SmitfraudFix\IEDFix.C.exe Infected: Hoax.Win32.Renos.etc 1
C:\Documents and Settings\Akil\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\Akil\Application Data\Facegame\Facegame.exe.vir Infected: Trojan.Win32.Agent.ajdu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cfgbken.dll.vir Infected: Trojan.Win32.BHO.hok 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cnvfa.dll.vir Infected: Trojan.Win32.BHO.hok 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cryptu.dll.vir Infected: Trojan.Win32.BHO.hok 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msansspc.dll.vir Infected: Trojan.Win32.Pakes.lka 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrhym.dll.vir Infected: Trojan.Win32.Agent.akki 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssserf1.dll.vir Infected: Backdoor.Win32.TDSS.zj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wini10803.exe.vir Infected: not-a-virus:FraudTool.Win32.XPAntiSpyware2009.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv742.cpx.vir Infected: Trojan-Downloader.Win32.Agent.akwa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_cliconf_.dll.zip Infected: Trojan.Win32.BHO.hok 1
The selected area was scanned.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 05 November 2008 - 07:31 AM

Your forgot to post the combofix log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 November 2008 - 03:39 PM

Sorry about that.

ComboFix 08-11-04.02 - Akil 2008-11-04 18:18:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1668 [GMT -5:00]
Running from: c:\documents and settings\Akil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Akil\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\cfgbken.dll
c:\windows\system32\cliconf.dll
c:\windows\system32\cnvfa.dll
c:\windows\system32\cryptu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cfgbken.dll
c:\windows\system32\cnvfa.dll
c:\windows\system32\cryptu.dll
c:\windows\system32\cliconf.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-03 03:09 . 2008-11-03 03:09 <DIR> d-------- c:\program files\MSXML 6.0
2008-11-03 03:09 . 2008-11-03 03:09 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-03 03:07 . 2008-11-03 03:07 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-02 16:51 . 2008-06-20 05:45 360,320 --------- c:\windows\system32\dllcache\tcpip.sys
2008-11-02 16:51 . 2008-06-20 12:41 245,248 --------- c:\windows\system32\dllcache\mswsock.dll
2008-11-02 16:51 . 2008-06-20 05:44 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-11-02 16:51 . 2006-08-16 06:58 100,352 --------- c:\windows\system32\dllcache\6to4svc.dll
2008-11-02 16:42 . 2008-11-03 03:11 1,374 --a------ c:\windows\imsins.BAK
2008-11-02 16:20 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-02 16:20 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-11-02 16:15 . 2008-04-11 13:50 683,520 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-11-02 16:15 . 2008-05-08 07:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-11-01 23:08 . 2008-11-01 23:08 <DIR> d-------- c:\program files\Sygate
2008-11-01 23:08 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-01 23:08 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-01 23:08 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-10-31 20:33 . 2008-10-31 20:40 <DIR> d-------- c:\windows\BDOSCAN8
2008-10-31 18:42 . 2008-10-31 18:42 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-10-31 18:41 . 2008-10-31 20:32 <DIR> d-------- c:\documents and settings\Akil\.housecall6.6
2008-10-31 16:05 . 2008-10-31 16:05 <DIR> d-------- c:\program files\Lavasoft
2008-10-31 16:05 . 2008-10-31 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 09:51 . 2000-03-23 12:50 446,464 -ra------ c:\windows\system32\hhactivex.dll
2008-10-31 09:51 . 1999-05-07 13:24 414,944 --a------ c:\windows\system32\COMCT332.OCX
2008-10-31 09:51 . 1998-11-10 10:46 328,480 --a------ c:\windows\system32\ssa3d30.ocx
2008-10-31 09:51 . 2002-01-08 17:00 176,128 --a------ c:\windows\system32\RcdScan.dll
2008-10-31 09:51 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2008-10-31 09:51 . 1998-06-17 23:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-10-31 09:51 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt
2008-10-30 09:59 . 2008-10-30 09:59 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-29 12:42 . 2004-08-04 05:00 93,184 --a------ c:\windows\system32\cliconf.dll
2008-10-27 18:43 . 2008-10-27 18:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-27 10:48 . 2008-11-04 15:56 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 1
2008-10-26 17:53 . 2008-10-26 17:53 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-10-25 21:17 . 2008-11-04 15:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-25 20:55 . 2008-11-04 10:19 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-25 20:55 . 2008-10-25 20:55 <DIR> d-------- c:\program files\AVG
2008-10-25 20:55 . 2008-10-26 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-25 20:55 . 2008-10-27 09:15 <DIR> d-------- c:\documents and settings\Akil\Application Data\AVGTOOLBAR
2008-10-25 20:55 . 2008-10-25 20:55 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-25 20:55 . 2008-10-25 20:55 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-25 17:27 . 2008-10-25 20:36 <DIR> d-------- c:\documents and settings\Akil\Application Data\GetModule
2008-10-22 13:31 . 2008-10-22 13:31 <DIR> d-------- c:\program files\iPod
2008-10-22 13:31 . 2008-10-22 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-09 08:48 . 2008-10-09 08:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-09 01:28 . 2008-10-09 01:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Verizon
2008-10-09 00:21 . 2008-10-25 18:24 <DIR> d-------- c:\documents and settings\Guest\Application Data\Verizon
2008-10-09 00:20 . 2008-10-25 18:24 <DIR> d-------- c:\documents and settings\Amir\Application Data\Verizon
2008-10-05 14:14 . 2008-10-05 14:14 <DIR> d-------- c:\documents and settings\Akil\Application Data\Malwarebytes
2008-10-05 14:13 . 2008-10-12 12:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-05 14:13 . 2008-10-05 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-05 14:13 . 2008-09-07 23:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-05 14:13 . 2008-09-07 23:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-05 11:14 . 2008-10-05 11:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-05 11:13 . 2005-04-19 23:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-10-05 11:13 . 2005-04-19 23:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-10-05 11:13 . 2005-04-19 23:40 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-10-05 11:13 . 2008-10-25 20:55 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-10-31 21:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-31 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-10-31 14:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 14:50 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-31 05:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-30 23:06 --------- d-----w c:\program files\Verizon
2008-10-27 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 02:31 --------- d-----w c:\program files\VirtualDJ
2008-10-26 01:34 --------- d-----w c:\program files\Common Files\Authentium
2008-10-25 23:24 --------- d-----w c:\documents and settings\Akil\Application Data\Verizon
2008-10-21 13:38 --------- d-----w c:\program files\Security Task Manager
2008-10-11 22:19 --------- d-----w c:\documents and settings\Akil\Application Data\Spybot - Search & Destroy
2008-10-09 13:52 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-09 13:51 --------- d-----w c:\program files\Java
2008-10-09 06:29 --------- d-----w c:\documents and settings\Akil\Application Data\SUPERAntiSpyware.com
2008-10-09 04:53 --------- d-----w c:\program files\Juno
2008-10-02 06:49 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2008-10-01 20:46 --------- d-----w c:\program files\BitComet
2008-09-28 18:30 --------- d-----w c:\program files\Picasa2
2008-09-27 01:03 --------- d-----w c:\program files\Common Files\SupportSoft
2008-09-27 00:14 --------- d--h--r c:\documents and settings\Akil\Application Data\yahoo!
2008-09-27 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-09-26 23:55 --------- d-----w c:\program files\Yahoo!
2008-09-26 23:53 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-09-26 19:46 --------- d-----w c:\program files\QuickTime
2008-09-26 19:46 --------- d-----w c:\program files\Bonjour
2008-09-26 19:45 --------- d-----w c:\program files\Common Files\Apple
2008-09-26 19:44 --------- d-----w c:\program files\Apple Software Update
2008-09-26 19:29 --------- d-----w c:\program files\StarzPlay
2008-09-26 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\StarzEntertainment
2008-09-26 14:22 --------- d-----w c:\documents and settings\Akil\Application Data\Motive
2008-09-26 08:20 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-26 05:29 --------- d-----w c:\program files\Common Files\Motive
2008-09-26 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-09-26 05:28 --------- d-----w c:\program files\vol_toolbar
2008-09-26 05:28 --------- d-----w c:\documents and settings\Akil\Application Data\vol_toolbar
2008-09-26 04:24 --------- d-----w c:\program files\VUGames
2008-09-20 22:41 --------- d-----w c:\program files\Connection Wizard
2007-09-13 17:10 694 ----a-w c:\program files\Shortcut to iTunes.lnk
2007-09-13 17:10 694 ----a-w c:\program files\Shortcut (2) to iTunes.lnk
2006-12-12 15:31 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-02-08 19:35 14,137,856 ----a-w c:\program files\iTunes.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_15.41.38.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-04 23:21:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_424.dat
+ 2008-11-04 23:21:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EBCF644-2B1A-46DE-B01C-CDCDF5726A17}]
2004-08-04 05:00 93184 --a------ c:\windows\system32\cliconf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Adobe Photo Downloader"="e:\program files\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Adobe Reader Speed Launcher"="e:\program files\Reader\Reader_sl.exe" [2008-01-11 39792]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 2065648]
"StarzTray"="c:\program files\StarzPlay\StarzPlayTray.exe" [2008-07-08 505112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 1537648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-09 136600]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-25 1234712]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SMSERIAL"="sm56hlpr.exe" [2004-01-28 c:\windows\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\JcServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Program Files\\Hotsync.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlay.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlayTray.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlayPlayer.exe"=
"c:\\Program Files\\StarzPlay\\StarzUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17033:TCP"= 17033:TCP:*:Disabled:BitComet 17033 TCP
"17033:UDP"= 17033:UDP:*:Disabled:BitComet 17033 UDP
"25108:TCP"= 25108:TCP:BitComet 25108 TCP
"25108:UDP"= 25108:UDP:BitComet 25108 UDP

R0 jzukhfmh;jzukhfmh;c:\windows\system32\drivers\jzukhfmh.sys [2004-08-04 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-25 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-25 231704]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-09 147456]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-05-15 21920]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a74be49-8571-11db-817a-0013203012e1}]
\Shell\Auto\command - E:\Setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - VPROEVENTMONITOR
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 18:29:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-11-04 18:33:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-04 23:33:10
ComboFix2.txt 2008-11-04 20:42:31

Pre-Run: 61,281,677,312 bytes free
Post-Run: 61,264,453,632 bytes free

255 --- E O F --- 2008-11-03 08:11:47

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 05 November 2008 - 03:45 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
jzukhfmh

File::
c:\windows\system32\drivers\jzukhfmh.sys
c:\windows\system32\cliconf.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EBCF644-2B1A-46DE-B01C-CDCDF5726A17}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 November 2008 - 11:06 PM

ComboFix 08-11-04.02 - Akil 2008-11-05 22:26:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1567 [GMT -5:00]
Running from: c:\documents and settings\Akil\Desktop\Security\ComboFix.exe
Command switches used :: c:\documents and settings\Akil\Desktop\Viral\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\cliconf.dll
c:\windows\system32\drivers\jzukhfmh.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cliconf.dll
c:\windows\system32\drivers\jzukhfmh.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JZUKHFMH
-------\Service_jzukhfmh


((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-05 11:26 . 2008-11-05 11:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\HipSoft
2008-11-05 11:25 . 2008-11-05 11:25 <DIR> d-------- C:\My Games
2008-11-05 11:23 . 2008-11-05 11:25 <DIR> d-------- C:\My Download Files
2008-11-05 02:16 . 2008-11-05 02:16 <DIR> d-------- c:\program files\TVUPlayer
2008-11-05 02:16 . 2008-11-05 02:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-05 02:16 . 2008-11-05 02:16 <DIR> d-------- c:\documents and settings\Akil\LocalLow
2008-11-03 03:09 . 2008-11-03 03:09 <DIR> d-------- c:\program files\MSXML 6.0
2008-11-03 03:09 . 2008-11-03 03:09 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-03 03:07 . 2008-11-03 03:07 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-02 16:51 . 2008-06-20 05:45 360,320 --------- c:\windows\system32\dllcache\tcpip.sys
2008-11-02 16:51 . 2008-06-20 12:41 245,248 --------- c:\windows\system32\dllcache\mswsock.dll
2008-11-02 16:51 . 2008-06-20 05:44 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-11-02 16:51 . 2006-08-16 06:58 100,352 --------- c:\windows\system32\dllcache\6to4svc.dll
2008-11-02 16:42 . 2008-11-03 03:11 1,374 --a------ c:\windows\imsins.BAK
2008-11-02 16:20 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-02 16:20 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-11-02 16:15 . 2008-04-11 13:50 683,520 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-11-02 16:15 . 2008-05-08 07:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-11-01 23:08 . 2008-11-01 23:08 <DIR> d-------- c:\program files\Sygate
2008-11-01 23:08 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-01 23:08 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-01 23:08 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-01 23:08 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-10-31 20:33 . 2008-10-31 20:40 <DIR> d-------- c:\windows\BDOSCAN8
2008-10-31 18:42 . 2008-10-31 18:42 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-10-31 18:41 . 2008-10-31 20:32 <DIR> d-------- c:\documents and settings\Akil\.housecall6.6
2008-10-31 16:05 . 2008-10-31 16:05 <DIR> d-------- c:\program files\Lavasoft
2008-10-31 16:05 . 2008-10-31 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 09:51 . 2000-03-23 12:50 446,464 -ra------ c:\windows\system32\hhactivex.dll
2008-10-31 09:51 . 1999-05-07 13:24 414,944 --a------ c:\windows\system32\COMCT332.OCX
2008-10-31 09:51 . 1998-11-10 10:46 328,480 --a------ c:\windows\system32\ssa3d30.ocx
2008-10-31 09:51 . 2002-01-08 17:00 176,128 --a------ c:\windows\system32\RcdScan.dll
2008-10-31 09:51 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2008-10-31 09:51 . 1998-06-17 23:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-10-31 09:51 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt
2008-10-30 09:59 . 2008-10-30 09:59 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-27 18:43 . 2008-10-27 18:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-27 10:48 . 2008-11-05 22:19 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 1
2008-10-26 17:53 . 2008-10-26 17:53 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-10-25 21:17 . 2008-11-05 13:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-25 20:55 . 2008-11-05 22:33 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-25 20:55 . 2008-10-25 20:55 <DIR> d-------- c:\program files\AVG
2008-10-25 20:55 . 2008-10-26 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-25 20:55 . 2008-10-27 09:15 <DIR> d-------- c:\documents and settings\Akil\Application Data\AVGTOOLBAR
2008-10-25 20:55 . 2008-10-25 20:55 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-25 20:55 . 2008-10-25 20:55 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-25 17:27 . 2008-10-25 20:36 <DIR> d-------- c:\documents and settings\Akil\Application Data\GetModule
2008-10-22 13:31 . 2008-10-22 13:31 <DIR> d-------- c:\program files\iPod
2008-10-22 13:31 . 2008-10-22 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-09 08:48 . 2008-10-09 08:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-09 01:28 . 2008-10-09 01:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Verizon
2008-10-09 00:21 . 2008-10-25 18:24 <DIR> d-------- c:\documents and settings\Guest\Application Data\Verizon
2008-10-09 00:20 . 2008-10-25 18:24 <DIR> d-------- c:\documents and settings\Amir\Application Data\Verizon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 19:49 --------- d-----w c:\program files\Google
2008-11-04 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-10-31 21:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-31 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-10-31 14:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 14:50 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-31 05:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-30 23:06 --------- d-----w c:\program files\Verizon
2008-10-27 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 02:31 --------- d-----w c:\program files\VirtualDJ
2008-10-26 01:34 --------- d-----w c:\program files\Common Files\Authentium
2008-10-25 23:24 --------- d-----w c:\documents and settings\Akil\Application Data\Verizon
2008-10-21 13:38 --------- d-----w c:\program files\Security Task Manager
2008-10-12 17:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-11 22:19 --------- d-----w c:\documents and settings\Akil\Application Data\Spybot - Search & Destroy
2008-10-09 13:52 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-09 13:51 --------- d-----w c:\program files\Java
2008-10-09 06:29 --------- d-----w c:\documents and settings\Akil\Application Data\SUPERAntiSpyware.com
2008-10-09 04:53 --------- d-----w c:\program files\Juno
2008-10-05 19:14 --------- d-----w c:\documents and settings\Akil\Application Data\Malwarebytes
2008-10-05 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-05 16:14 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-02 06:49 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2008-10-01 20:46 --------- d-----w c:\program files\BitComet
2008-09-28 18:30 --------- d-----w c:\program files\Picasa2
2008-09-27 01:03 --------- d-----w c:\program files\Common Files\SupportSoft
2008-09-27 00:14 --------- d--h--r c:\documents and settings\Akil\Application Data\yahoo!
2008-09-27 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-09-26 23:55 --------- d-----w c:\program files\Yahoo!
2008-09-26 23:53 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-09-26 19:46 --------- d-----w c:\program files\QuickTime
2008-09-26 19:46 --------- d-----w c:\program files\Bonjour
2008-09-26 19:45 --------- d-----w c:\program files\Common Files\Apple
2008-09-26 19:44 --------- d-----w c:\program files\Apple Software Update
2008-09-26 19:29 --------- d-----w c:\program files\StarzPlay
2008-09-26 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\StarzEntertainment
2008-09-26 14:22 --------- d-----w c:\documents and settings\Akil\Application Data\Motive
2008-09-26 08:20 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-26 05:29 --------- d-----w c:\program files\Common Files\Motive
2008-09-26 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-09-26 05:28 --------- d-----w c:\program files\vol_toolbar
2008-09-26 05:28 --------- d-----w c:\documents and settings\Akil\Application Data\vol_toolbar
2008-09-26 04:24 --------- d-----w c:\program files\VUGames
2008-09-20 22:41 --------- d-----w c:\program files\Connection Wizard
2008-09-08 04:11 38,528 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-09-08 04:11 17,200 ----a-w c:\windows\system32\drivers\mbam.sys
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-09-13 17:10 694 ----a-w c:\program files\Shortcut to iTunes.lnk
2007-09-13 17:10 694 ----a-w c:\program files\Shortcut (2) to iTunes.lnk
2006-12-12 15:31 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-02-08 19:35 14,137,856 ----a-w c:\program files\iTunes.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_15.41.38.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-01 22:31:34 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
+ 2008-11-05 19:49:37 10,134 ----a-r c:\windows\Installer\{79916F0F-838B-11DD-B6D5-005056806466}\ARPPRODUCTICON.exe
+ 2008-11-05 19:49:37 26,694 ----a-r c:\windows\Installer\{79916F0F-838B-11DD-B6D5-005056806466}\UNINST_Uninstall_G_BCEEAF790189405A8B93BFE1E41FCD64.exe
- 2006-11-01 22:31:34 315,904 ----a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 ----a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2006-10-18 09:32:38 807,032 ----a-w c:\windows\system32\wmv9dmod.dll
+ 2008-11-06 03:30:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_14c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Adobe Photo Downloader"="e:\program files\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Adobe Reader Speed Launcher"="e:\program files\Reader\Reader_sl.exe" [2008-01-11 39792]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 2065648]
"StarzTray"="c:\program files\StarzPlay\StarzPlayTray.exe" [2008-07-08 505112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 1537648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-09 136600]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-25 1234712]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SMSERIAL"="sm56hlpr.exe" [2004-01-28 c:\windows\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\JcServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Program Files\\Hotsync.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlay.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlayTray.exe"=
"c:\\Program Files\\StarzPlay\\StarzPlayPlayer.exe"=
"c:\\Program Files\\StarzPlay\\StarzUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17033:TCP"= 17033:TCP:*:Disabled:BitComet 17033 TCP
"17033:UDP"= 17033:UDP:*:Disabled:BitComet 17033 UDP
"25108:TCP"= 25108:TCP:BitComet 25108 TCP
"25108:UDP"= 25108:UDP:BitComet 25108 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-25 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-25 231704]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-09 147456]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-05-15 21920]
S2 gupdate1c93f7f7251ba48;Google Update Service (gupdate1c93f7f7251ba48);c:\program files\Google\Update\GoogleUpdate.exe [2008-11-05 119280]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a74be49-8571-11db-817a-0013203012e1}]
\Shell\Auto\command - E:\Setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.exe

*Newly Created Service* - JZUKHFMH
*Newly Created Service* - VPROEVENTMONITOR
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\GoogleUpdateTask.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-05 14:47]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 22:32:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Akil\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log.old 285 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\AVG\AVG8\avgcmgr.exe
.
**************************************************************************
.
Completion time: 2008-11-05 22:37:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 03:37:05
ComboFix2.txt 2008-11-04 23:33:22
ComboFix3.txt 2008-11-04 20:42:31

Pre-Run: 60,978,692,096 bytes free
Post-Run: 61,021,736,960 bytes free

270 --- E O F --- 2008-11-05 08:08:13

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 06 November 2008 - 04:41 PM

Looks pretty good to me.
How are things on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 November 2008 - 08:24 PM

Yeah thanks I think we got most of it, and its mostly back to normal, but the only thing is its not connecting to certain sites and if I try to write a post, it won't post (this is being sent from my laptop). Example all the posts of the logs had to made from my laptop after I emailed the log to myself. And if I try to attach a document to my email it won't attach and some streaming sites will freeze the browser. I don't know if that's connected or not, but that wasn't the case before.

Thanks again.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 07 November 2008 - 04:53 AM

Let's do a little more looking around then.



Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 08 November 2008 - 01:29 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-08 12:47:16
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBA1DAB30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBA1DA6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA1DA470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBA1DAC50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA1DA990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xBA1DA8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBA1DAD60]

Code 8A3DC938 ZwCreateSection
Code 8A41D800 ZwDuplicateObject
Code 8A44FC80 ZwSetInformationFile
Code 8A6DB458 ZwSetSystemInformation
Code 8A2E5CE0 ZwWriteFile
Code 8A3DC937 NtCreateSection
Code 8A41D7FF NtDuplicateObject
Code 8A44FC7F NtSetInformationFile
Code 8A2E5CDF NtWriteFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!IoGetBootDiskInformation + 66F 80575731 7 Bytes JMP 89FDAADC
PAGE ntkrnlpa.exe!NtSetInformationFile 80579DC4 7 Bytes JMP 8A44FC84
PAGE ntkrnlpa.exe!NtWriteFile 8057BC82 7 Bytes JMP 8A2E5CE4
PAGE ntkrnlpa.exe!NtCreateSection 805A9DEE 7 Bytes JMP 8A3DC93C
PAGE ntkrnlpa.exe!ObCloseHandle + 17 805BAEAF 7 Bytes JMP 8A245EEC
PAGE ntkrnlpa.exe!NtDuplicateObject 805BC890 7 Bytes JMP 8A41D804
PAGE ntkrnlpa.exe!ZwSetSystemInformation 8060DB2E 5 Bytes JMP 8A6DB45C
.text tcpip.sys!IPTransmit + 10BC A9764CFA 6 Bytes CALL B9DEFE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 263D A976627B 6 Bytes CALL B9DEFE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!ARPRcv + 521E A976B4BE 6 Bytes CALL B9DEFE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys BA1CD3FD 4 Bytes CALL B9DEFFA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys BA1CD402 2 Bytes [ 90, 90 ]
PAGE Fastfat.SYS A8E8E948 4 Bytes JMP 8A23EA6C
PAGE Fastfat.SYS A8E8E94D 2 Bytes [ 90, 90 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DF0B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DF0B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DF0B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B9DF0B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DF0B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B9DF08E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DF0B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B9DF0C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9DF0BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fastfat \FatCdrom Code 8A23EA68
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\Fastfat \Fat Code 8A23EA68

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

---- EOF - GMER 1.0.14 ----

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:54 PM

Posted 08 November 2008 - 06:01 PM

Just a little remnant of TDSS that I'd like to get rid of, but no smoking gun there in that log.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 DP7

DP7
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 10 November 2008 - 02:44 PM

SDFix: Version 1.240
Run by Akil on Mon 11/10/2008 at 02:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Akil\Favorites\Malware Defender.url - Deleted
C:\Documents and Settings\Akil\Favorites\Protect Your Privacy.url - Deleted
C:\Documents and Settings\Akil\Favorites\System Error Fixer.url - Deleted
C:\DOCUME~1\Akil\LOCALS~1\Temp\tmp31.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 14:34:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\\Program Files\\JcServer.exe"="E:\\Program Files\\JcServer.exe:*:Disabled:jcServer"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"E:\\Program Files\\Hotsync.exe"="E:\\Program Files\\Hotsync.exe:*:Enabled:HotSyncr Manager Application"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\StarzPlay\\StarzPlay.exe"="C:\\Program Files\\StarzPlay\\StarzPlay.exe:*:Enabled:StarzPlay"
"C:\\Program Files\\StarzPlay\\StarzPlayTray.exe"="C:\\Program Files\\StarzPlay\\StarzPlayTray.exe:*:Enabled:StarzPlayTray"
"C:\\Program Files\\StarzPlay\\StarzPlayPlayer.exe"="C:\\Program Files\\StarzPlay\\StarzPlayPlayer.exe:*:Enabled:StarzPlayPlayer"
"C:\\Program Files\\StarzPlay\\StarzUpdater.exe"="C:\\Program Files\\StarzPlay\\StarzUpdater.exe:*:Enabled:StarzUpdater"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 5 Nov 2008 1,839,104 A..H. --- "C:\My Games\Build-a-lot - Town of the Year\Buildalot2.exe"
Sun 9 Nov 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 27 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 2 Jul 2008 76,800 ...H. --- "C:\Documents and Settings\Akil\Desktop\Word Stuff\~WRL3212.tmp"
Mon 14 Jul 2008 37,376 A..H. --- "C:\Documents and Settings\Akil\My Documents\HUAC NYC\~WRL2350.tmp"
Wed 17 Oct 2007 50,688 A..H. --- "C:\Documents and Settings\Akil\My Documents\JOBS\~WRL2900.tmp"
Tue 24 Apr 2007 368,128 ...H. --- "C:\Documents and Settings\Akil\My Documents\Write\~WRL0977.tmp"
Sat 21 Apr 2007 846,848 ...H. --- "C:\Documents and Settings\Akil\My Documents\Write\~WRL1796.tmp"
Fri 26 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 27 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 18 Sep 2008 30,208 A..H. --- "C:\Documents and Settings\Akil\My Documents\Business\Org\~WRL2729.tmp"
Tue 23 Sep 2008 44,032 A..H. --- "C:\Documents and Settings\Akil\My Documents\Business\Org\~WRL2982.tmp"
Tue 8 Apr 2008 92,672 A..H. --- "C:\Documents and Settings\Akil\My Documents\HUAC NYC\Newsletter & Notes\~WRL3310.tmp"
Wed 27 Dec 2006 4,348 ...H. --- "C:\Documents and Settings\Akil\My Documents\My Music\License Backup\drmv1key.bak"
Tue 27 Feb 2007 20 A..H. --- "C:\Documents and Settings\Akil\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 27 Dec 2006 400 A.SH. --- "C:\Documents and Settings\Akil\My Documents\My Music\License Backup\drmv2key.bak"
Tue 5 Dec 2006 26,624 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\Essays\~WRL1607.tmp"
Thu 30 Nov 2006 26,624 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\Essays\~WRL3880.tmp"
Fri 9 Mar 2007 96,768 ...H. --- "C:\Documents and Settings\Akil\My Documents\Write\Opt Out\~WRL1401.tmp"
Sat 12 Nov 2005 62,976 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL0067.tmp"
Sat 8 Oct 2005 75,264 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL0857.tmp"
Sat 18 Jun 2005 49,152 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL1517.tmp"
Fri 17 Jun 2005 46,080 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL1614.tmp"
Sun 17 Jul 2005 76,800 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL1697.tmp"
Mon 15 May 2006 82,944 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL2284.tmp"
Sun 21 May 2006 84,480 A..H. --- "C:\Documents and Settings\Akil\My Documents\Write\The Society\~WRL3574.tmp"
Tue 19 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 19 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users