Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reinfection from a Remission of Karna.dat/Brastk.exe/Downloader.Zlob & JS/Tenia.d


  • Please log in to reply
20 replies to this topic

#1 232xanax232

232xanax232

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 18 December 2008 - 02:08 PM

All went well from the previous clean up of Karna.dat, Brastk.exe, Downloader.Zlob, JS/Tenia.d , ect...ect, that Propaganda Panda helped me with.
see:http://www.bleepingcomputer.com/forums/t/180048/helptrojan-blocking-other-virus-scanners-and-virus-help-websites/

A program tried to connect to the internet called C:\Windows\system32\a.exe about a week 1/2 after the cleanup, I deleted this file....Then the other day my computer restarted on its own, I ran scans but nothing showed....I knew something must be awray but could not find anything, and now...on the 16th in the morning McAfee reported that a file named a.exe once again tried to connect to the internet, I pulled the plug that connected me to the internet and started running scans again.

Here is what my McAfee Detection log showed when I got hit:

Details-Time 8:40:53am
Detection name:Generic.dx(Trojan), Generic.dx(Trojan)
File: C:\Documents and Settings\Administator\Local Settings\Temp\prun.tmp
Process: C:\Windows\system32\a.exe
Process description:C:\Windows\system32\a.exe

Details-Time 8:40:54am
Detection name:Generic Downloader.x(Trojan), GenericDownloader.x(Trojan)
File: C:\Documents and Settings\Administator\Local Settings\Temp\wavvsnet.tmp
Process: C:\Windows\system32\a.exe
Process description:C:\Windows\system32\a.exe

Details-Time 8:40:55am
Detection name:Generic Downloader.x(Trojan), GenericDownloader.x(Trojan)
File: C:\Documents and Settings\Administator\Local Settings\Temp\winvsnet.tmp
Process: C:\Windows\system32\a.exe
Process description:C:\Windows\system32\a.exe

Details-Time 8:46:08am
Detection name:Generic PUP.x(Potentially UnwantedProgram), Generic PUP.x(Potentially UnwantedProgram)
File: C:\Windows\system32\MRXPRS.DLL
Process: C:\Program Files\Spybot-Search&Destroy\SpybotSD.exe
Process description:Spybot-Search&Destroy

Details-Time 8:49:18am
Detection name:Generic.dx(Trojan), Generic.dx(Trojan)
File: C:\Documents and Settings\Administator\Local Settings\Temp\prun.tmp
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.tmp
Process description: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.tmp

Details-Time 8:49:26am
Detection name:Generic Downloader.x (Trojan),Generic Downloader.x (Trojan)
File: C:\Documents and Settings\Administator\Local Settings\Temp\wavvsnet.tmp
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.tmp
Process description: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.tmp

Details-Time 8:49:28am
Detection name:Generic Downloader.x (Trojan),Generic Downloader.x (Trojan)
File: C:\Documents and Settings\Administator\Local Settings\Temp\winvsnet.tmp
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.tmp
Process description: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.tmp

-------------------------------------------------------------------------------------------------

Then later that night starting at 6:02:08PM McAfee Allowed these to run on it's own without my knowledge or consent.
Listed under McAfee SystemGuards Log:

Details-Name:Startup Items-Time:6:02:08PM
Rule Type:Registry
Process: C:\Windows\system32\rundll32.exe
Process description: Run a DLL as an App
Process publisher: Microsoft Corporation
Process version:5.1.2600.5512 (xpsp.08413-2105)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kusiwezerirundll32.exe

Then 2 seconds later McAffee Allowed these Browser Helper Objects:
Details-Name:Browser Helper Objects-Time: 6:02:10PM
Rule Type: Registry
Process: C:\Program Files SpywareGaurd\sgbhp.exe
Process description:SG Browser Hijacking Protection
Process version:2.02.0001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 6:02:15PM
Rule Type: Registry
Process: C:\Windows\explorer.exe
Process description:Windows Explorer
Process publisher:Microsoft Corporation
Process version:6.00.2900.5512 (xpsp.080413-2105)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 6:02:20PM
Rule Type: Registry
Process: C:\Program Files\Internet Explorer\iexplore.exe
Process description:Internet Explorer
Process publisher:Microsoft Corporation
Process version:7.00.6000.16762 (vista_gdr.081013.1507)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 6:02:46PM
Rule Type: Registry
Process: C:\Program Files\SpywareGuard\sgmain.exe
Process description:SpywareGuard
Process version:2.02.0001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 6:04:54PM
Rule Type: Registry
Process: C:\Program Files\XoftSpySE\XoftSpy.exe
Process description:Xoftspy
Process publisher:ParetoLogic
Process version:4, 33, 5259, 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 6:07:10PM
Rule Type: Registry
Process: C:\Program Files\MagicDisc\MagicDisc.exe
Process description:MagicISO Virtual CD/DVDManager
Process publisher:MagicISO, Inc.
Process version:2.7.0.105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 6:14:26PM
Rule Type: Registry
Process: C:\Windows\system32\rundll32.exe
Process description:Run a DLLas anapp
Process publisher:Microsoft Corporation
Process version:5.1.2600.5512 (xpsp.080413-2105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 7:07:49PM
Rule Type: Registry
Process: C:\Program Files\Wacom\TabUserW.exe
Process description:TABUSERW
Process publisher:Wacom Technology, Corp.
Process version:4.76-4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 7:07:51PM
Rule Type: Registry
Process: C:\Program Files\Wacom\TabUserW.exe
Process description:TABUSERW
Process publisher:Wacom Technology, Corp.
Process version:4.76-4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\bulopazo.dll

Details-Name:Browser Helper Objects-Time: 7:08:02PM
Rule Type: Registry
Process: C:\Program Files\SpywareGuard\sgmain.exe
Process description:SpywareGuard
Process version:2.02.0001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\kenahapu.dll

Details-Name:Browser Helper Objects-Time: 7:08:03PM
Rule Type: Registry
Process: C:\Program Files\Internet Explorer\iexplore.exe
Process description:Internet Explorer
Process publisher:Microsoft Corporation
Process version:7.00.6000.16762 (vista_gdr.081013.1507)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\kenahapu.dll

Details-Name:Browser Helper Objects-Time: 7:18:10PM
Rule Type: Registry
Process: C:\Program Files\SpywareGuard\sgbhp.exe
Process description:SG Browser Hijacking Protection
Process version:2.02.0001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\kenahapu.dll

Details-Name:Browser Helper Objects-Time: 7:18:16PM
Rule Type: Registry
Process: C:\Program Files\Internet Explorer\iexplore.exe
Process description:Internet Explorer
Process publisher:Microsoft Corporation
Process version:6.00.2900.5512 (xpsp.080413-2105)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed462d40-36fc-4642-97e8-009c2eba35a6}"HKEY_LOCAL_MACHINE\CLSID\{ed462d40-36fc-4642-97e8-009c2eba35a6}InProcServer32C:\WINDOWS\system32\kenahapu.dll

---------------------------------------------------------------------------------------------

I have ran the whole gamet of scans and rootkillers on the computer with the last three being Malwarebytes Anti-malware, SDFix, and SmitFraudFix......I have gone through my Hijackthis.log and my registry and deleted what I could find of the remnants and would very much appreciate it if someone could take a look at my HijackThis.log to see if I got it all.
All the scans I do now are showing everything is clean and the computer seems to be back to normal.

---------------------------------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HERE IS MY LAST HIJACKTHIS.LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:43, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mea\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 13626 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
By the way I deleted Autocad 2002 but I see it is still listed here on the log.

Any Help recieved will be very much Appreciated once Again.
Thank You

*****AFTER THIS POST ***********
AFTER i MADE THIS POST Trojan.Vundo.H reared it's ugly head and took over my machine again somehow, I have ran FDFix, and Malwarebyte, I am now running Kaspersky scan to see what it see's on my computer.....this is a bugger.

Whating for reply, I will have fresh logs when you respond.

Thanks.

Edited by 232xanax232, 19 December 2008 - 10:10 AM.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


BC AdBot (Login to Remove)

 


#2 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 26 December 2008 - 03:52 PM

OK, due to the time from my original post on Dec 18th till today Dec 26 I have tried many different things trying to rid myself from this infection, a few things have been caught in action so to speak, I hit up netstat and caught a connection that my computer made on it's own to an address that when I looked up the who is on, stated that it was compromised by VUNDO this connection occurred when/during a time that I had McAfee put my computers firewall in lock down mode, (McAfee is a great software but lately it seems to have been letting arbitrary code run without permissions and in this case let a connection happen while in what McAfee calls lock down mode)
The Addy is 77.74.48.105 and it made a connection on port 2255 / 2256 so I have blocked this Addy with my firewall .
I have also perused my reg files and came across a few that were listed as virus/Trojan which I deleted.
I have downloaded the latest DDS.SCR (listed under your new prep for help page) and ran it and have the log ready when ever whoever helps me wants it, there are a few dlls that are listed as virus/root-kits that are listed on it which at this time I will no longer be trying to eradicate on my own, so they are left there until help arrives.
I will not add to or delete anything until I have the expert help that you provide as to not mess things up for a clean machine.

Thanks in advance for any help you provide

Here is my DDS.Txt, and my latest HiJackThis.Log



DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 14:00:01.17 on Fri 12/26/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.393 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.wzzm13.com/
uWindow Title =
uSearch Bar = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.wzzm13.com/
mSearch Bar = hxxp://www.google.com/ie
mWindow Title = Smile God the Universe Loves You
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: TheyreAliveIE Class: {d99d8c80-287f-4e53-ab64-b2225db42f83} - c:\program files\they're alive!\TheyreAlive.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {3236FF08-D1F3-4020-AD8D-4012C8EAF98E} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CARPService] carpserv.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\mea\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuserw.lnk - c:\program files\wacom\TabUserW.exe
IE: &eBay Search
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: Explore with &Instant Source
IE: ImTranslator
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Save Flash by &GetFlash
IE: Sothink SWF Catcher
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {8BD5271D-69C9-4467-882D-5139952D7754} - {3DC8D6D6-AFF0-45CC-A847-E5012F60BA57} - c:\program files\instant source\isrc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [2007-2-20 2944]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-18 201320]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\McShield.exe [2007-11-18 144704]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-18 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-18 35240]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 03eE;03eE;\??\c:\windows\system32\03eE.sys []
S3 04c8;04c8;\??\c:\windows\system32\04c8.sys []
S3 38c12;38c12;\??\c:\windows\system32\38c12.sys []
S3 5b615;5b615;\??\c:\windows\system32\5b615.sys []
S3 71c5;71c5;\??\c:\windows\system32\71c5.sys []
S3 830C;830C;\??\c:\windows\system32\830C.sys []
S3 9cfD;9cfD;\??\c:\windows\system32\9cfD.sys []
S3 A4S2600;A4S2600;c:\windows\system32\drivers\A4S2600.sys [2003-5-14 70336]
S3 b9916;b9916;\??\c:\windows\system32\b9916.sys []
S3 ba49;ba49;\??\c:\windows\system32\ba49.sys []
S3 bae6;bae6;\??\c:\windows\system32\bae6.sys []
S3 bcf11;bcf11;\??\c:\windows\system32\bcf11.sys []
S3 c124;c124;\??\c:\windows\system32\c124.sys []
S3 d89A;d89A;\??\c:\windows\system32\d89A.sys []
S3 eb710;eb710;\??\c:\windows\system32\eb710.sys []
S3 f4714;f4714;\??\c:\windows\system32\f4714.sys []
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-18 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-18 40488]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2008-8-7 153760]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-18 695624]

=============== Created Last 30 ================

2008-12-24 10:11 <DIR> --d----- c:\program files\WhatsRunning
2008-12-22 09:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-22 09:57 <DIR> --d----- c:\program files\Security Task Manager
2008-12-21 12:44 <DIR> --d----- c:\program files\Hacker Evolution Untold
2008-12-21 11:02 <DIR> --d----- c:\program files\Active Ports
2008-12-20 15:31 <DIR> --d----- C:\VundoFix Backups
2008-12-20 15:10 <DIR> --d----- C:\SpySoapBin
2008-12-20 15:10 <DIR> --d----- c:\program files\SpySoap
2008-12-20 11:55 159,744 a------- c:\windows\system32\hasher.dll
2008-12-20 11:55 <DIR> --d----- c:\program files\Trisnap Technologies
2008-12-20 02:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-20 02:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-20 02:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2008-12-18 17:05 <DIR> --d----- c:\program files\Wondershare
2008-12-18 07:39 2,560 a------- c:\windows\_MSRSTRT.EXE
2008-12-18 05:54 2,688 a------- c:\windows\system32\tmp.reg
2008-12-17 16:22 <DIR> --d----- C:\SDFix
2008-12-17 09:40 2,713 ---sh--- c:\windows\system32\sapawoma.exe
2008-12-17 00:12 2,713 ---sh--- c:\windows\system32\fofugapi.exe
2008-12-16 19:07 0 a--sh--- c:\windows\system32\fenohomo.dll
2008-12-16 18:04 <DIR> --d----- c:\program files\XoftSpySE
2008-12-11 08:29 <DIR> --d----- c:\program files\common files\xing shared
2008-12-10 14:19 40,960 a------- c:\windows\wavdest.ax
2008-12-10 14:19 <DIR> --d----- c:\program files\Eltima Software
2008-12-07 05:22 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2008-12-07 05:22 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2008-12-07 05:05 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-06 16:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-06 16:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 16:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 14:02 0 a------- c:\windows\[INI]
2008-12-06 13:43 18,017 a------- C:\initemp.dat
2008-12-06 13:41 <DIR> --d----- c:\program files\SatelliteTVforPC
2008-12-06 13:39 <DIR> --d----- c:\windows\uninstall
2008-11-30 22:10 <DIR> --d----- c:\program files\Electric Rain
2008-11-29 10:49 933,888 a------- c:\windows\MFC40.DLL
2008-11-29 10:49 344,064 a------- c:\windows\MSVCRT40.DLL
2008-11-29 10:49 74,752 a------- c:\windows\system\msvcirt.dll
2008-11-29 10:49 72,358 a------- c:\windows\system\a4s2600.vxd
2008-11-26 23:47 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2008-11-26 23:47 <DIR> --d----- c:\program files\MagicDisc

==================== Find3M ====================

2008-12-26 01:28 51,505 a------- c:\windows\system32\wacom.dat
2008-11-29 20:37 31 a------- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2008-11-18 16:17 81,984 a------- c:\windows\system32\bdod.bin
2008-11-18 15:09 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-10 21:54 164 a------- C:\install.dat
2008-11-07 11:15 2,188 a------- c:\windows\unins001.dat
2008-11-07 11:15 673,610 a------- c:\windows\unins001.exe
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2006-04-27 00:15 32 a----r-- c:\documents and settings\all users\hash.dat
2005-06-30 16:29 774,144 a------- c:\program files\RngInterstitial.dll
2008-09-18 20:01 64,168 a--sh--- c:\windows\system32\lefegeho.dll
2008-09-18 20:01 64,168 a--sh--- c:\windows\system32\morugawe.dll
2008-09-16 19:07 94,720 a--sh--- c:\windows\system32\yifulose.dll

============= FINISH: 14:00:25.45 ===============

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:57 PM, on 12/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mea\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 13383 bytes


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks for the help, these logs/txt are the latest from today

Edited by 232xanax232, 26 December 2008 - 04:01 PM.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:44 PM

Posted 27 December 2008 - 09:40 AM

Hello 232xanax232

Welcome to BleepingComputer :thumbsup:
========================
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#4 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 27 December 2008 - 11:28 AM

Thanks for coming to the rescue,
I ran ATF and then ran the Kaspersky Online Scan which showed that all is clear, I did this last night just in case this would be what you wanted from me and because the Kaspersky Online Scan takes almost 7 hours to complete.

I just ran ATF again, and cleared everything + the same for the foxfire browser.

I saw a few viruses listed under the DDR so I investigated by looking through my system32 folder with show all hidden files checked in view + do not hide known extensions checked (or unchecked which ever on lets me see everything) and could not locate any of the named virus files that was shown...they must have been deleted, or morphed.

what worries me is that this is what was showing.....That I had no infection the last time when I had the a.exe file trying to access the net and when Trojan.Vundo.H showed up, Like I said I caught this weird connection while running netstat _a @ 77.74.48.105 (foreign address) in a close/wait state with the local addy being my machine on TCP 2255.......Then the foreign address in an Established connection with my machine at TCP 2256........
Then it said 216.49.94.13:http syn-sent on TCP 2268.
As stated I have since blocked this (77.74.48.105) address by my firewall.
After that, Malewarebyte found 14 instances of virus's with names such as fotobike.dll, Trojan.Vundo.H, gefedore.dll, mp7arc.dat, puvibimo.dll, pmnoOhHa.dll, mufayehu.dll, myfayehu.dll, muyipigu.dll, ljJCstQl.dll, IQtsCJjl.ini, kenahapu.dll, godohavu.dll, jeyanima.dll, vitetija.dll, iifgHxXp.dll.

The only thing that I can figure is that something was missed or that somehow my usb stick got infected, the one I used to upload text files last time from my computer to the net as I could not connect at the time....(any suggestions on how to scan it without reinfecting myself as what is on the stick is very important file for work that are irreplaceable??? but the infection seemed to come from the a.exe)

Anyway, here is the results from the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 26, 2008 14:25:33
Records in database: 1517678
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 289237
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 06:37:43

No malware has been detected. The scan area is clean.

The selected area was scanned.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:44 PM

Posted 27 December 2008 - 11:32 AM

Hi that IP address resolves to this location:
inetnum: 77.74.48.96 - 77.74.48.127
netname: NL-SOFTSOL
descr: Soft Solutions Inc.
country: NL
admin-c: SSI25-RIPE
tech-c: SSI25-RIPE
status: ASSIGNED PA
mnt-by: ZYLON-NOC
source: RIPE Filtered
role: Soft Solutions Inc
address: Main Str. 16
address: Road Town Tortola
address: British Virgin Islands
mnt-by: ZYLON-NOC
e-mail: soft.sol.inc@gmail.com
admin-c: JR3138-RIPE
tech-c: JR3138-RIPE
nic-hdl: SSI25-RIPE
source: RIPE Filtered
route: 77.74.48.0/21
descr: Route-announcement
origin: AS8312
mnt-by: ZYLON-NOC
source: RIPE Filtered
====================
That looks legit to me.

Try to run MAlwareBytes again and let's see what it finds if anything.
Post that log please.

ALso post a new dds log as well.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 28 December 2008 - 04:12 PM

Sorry about not getting back sooner, we are having some major weather outside and I had to go take care of a few things, I started the Malwarebytes scan before I left and it came back clean, I decided that I would reboot to see if that nasty virus would show itself before running DDS.....This is what popped up as windows was rebooted.

Windows Defender came up with this As soon as the computer rebooted:

Scan Results: 1 item detected:
Name: Trojan:Win32/Vundo.gen!AH

Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
file:
C:\WINDOWS\system32\morugawe.dll

file:
C:\WINDOWS\system32\lefegeho.dll

file:
C:\WINDOWS\system32\kofelabe.dll.tmp

file:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081217-051843-785.dll

file:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081217-051713-629.dll

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I followed through and let Windows Defender remove it, when I clicked on apply action, a pop-up appeared that said Microsoft needs more information about this software and asked me to send them the files which I did, Windows Defender Removed the threat, I then ran DDS and then a new (quick scan)scan with Malewarebyte.

Malwarebytes first scan before reboot is listed first, then the DSS log, then the last scan after Wiindows Defender removed the threats it found on reboot.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
FIRST MALWAREBYTE SCAN BEFORE REBOOT.................................................

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/27/2008 6:12:03 PM
mbam-log-2008-12-27 (18-12-03).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 345130
Time elapsed: 3 hour(s), 38 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DSS.TXT......................................................................................

DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 13:59:39.51 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.574 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.wzzm13.com/
uWindow Title =
uSearch Bar = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.wzzm13.com/
mSearch Bar = hxxp://www.google.com/ie
mWindow Title = Smile God the Universe Loves You
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: TheyreAliveIE Class: {d99d8c80-287f-4e53-ab64-b2225db42f83} - c:\program files\they're alive!\TheyreAlive.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {3236FF08-D1F3-4020-AD8D-4012C8EAF98E} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CARPService] carpserv.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\mea\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuserw.lnk - c:\program files\wacom\TabUserW.exe
IE: &eBay Search
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: Explore with &Instant Source
IE: ImTranslator
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Save Flash by &GetFlash
IE: Sothink SWF Catcher
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {8BD5271D-69C9-4467-882D-5139952D7754} - {3DC8D6D6-AFF0-45CC-A847-E5012F60BA57} - c:\program files\instant source\isrc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [2007-2-20 2944]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-18 201320]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\McShield.exe [2007-11-18 144704]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-18 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-18 35240]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 03eE;03eE;\??\c:\windows\system32\03eE.sys []
S3 04c8;04c8;\??\c:\windows\system32\04c8.sys []
S3 38c12;38c12;\??\c:\windows\system32\38c12.sys []
S3 5b615;5b615;\??\c:\windows\system32\5b615.sys []
S3 71c5;71c5;\??\c:\windows\system32\71c5.sys []
S3 830C;830C;\??\c:\windows\system32\830C.sys []
S3 9cfD;9cfD;\??\c:\windows\system32\9cfD.sys []
S3 A4S2600;A4S2600;c:\windows\system32\drivers\A4S2600.sys [2003-5-14 70336]
S3 b9916;b9916;\??\c:\windows\system32\b9916.sys []
S3 ba49;ba49;\??\c:\windows\system32\ba49.sys []
S3 bae6;bae6;\??\c:\windows\system32\bae6.sys []
S3 bcf11;bcf11;\??\c:\windows\system32\bcf11.sys []
S3 c124;c124;\??\c:\windows\system32\c124.sys []
S3 d89A;d89A;\??\c:\windows\system32\d89A.sys []
S3 eb710;eb710;\??\c:\windows\system32\eb710.sys []
S3 f4714;f4714;\??\c:\windows\system32\f4714.sys []
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-18 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-18 40488]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2008-8-7 153760]
S3 PORTMON;PORTMON;\??\c:\documents and settings\administrator\desktop\error 1058 cure\system tools\portmon\PORTMSYS.SYS []
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-18 695624]

=============== Created Last 30 ================

2008-12-27 07:38 <DIR> --d----- c:\program files\Realore
2008-12-24 10:11 <DIR> --d----- c:\program files\WhatsRunning
2008-12-22 09:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-22 09:57 <DIR> --d----- c:\program files\Security Task Manager
2008-12-21 12:44 <DIR> --d----- c:\program files\Hacker Evolution Untold
2008-12-21 11:02 <DIR> --d----- c:\program files\Active Ports
2008-12-20 15:31 <DIR> --d----- C:\VundoFix Backups
2008-12-20 15:10 <DIR> --d----- C:\SpySoapBin
2008-12-20 15:10 <DIR> --d----- c:\program files\SpySoap
2008-12-20 11:55 159,744 a------- c:\windows\system32\hasher.dll
2008-12-20 11:55 <DIR> --d----- c:\program files\Trisnap Technologies
2008-12-20 02:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-20 02:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-20 02:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2008-12-18 17:05 <DIR> --d----- c:\program files\Wondershare
2008-12-18 07:39 2,560 a------- c:\windows\_MSRSTRT.EXE
2008-12-18 05:54 2,688 a------- c:\windows\system32\tmp.reg
2008-12-17 16:22 <DIR> --d----- C:\SDFix
2008-12-17 09:40 2,713 ---sh--- c:\windows\system32\sapawoma.exe
2008-12-17 00:12 2,713 ---sh--- c:\windows\system32\fofugapi.exe
2008-12-16 19:07 0 a--sh--- c:\windows\system32\fenohomo.dll
2008-12-16 18:04 <DIR> --d----- c:\program files\XoftSpySE
2008-12-11 08:29 <DIR> --d----- c:\program files\common files\xing shared
2008-12-10 14:19 40,960 a------- c:\windows\wavdest.ax
2008-12-10 14:19 <DIR> --d----- c:\program files\Eltima Software
2008-12-07 05:22 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2008-12-07 05:22 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2008-12-07 05:05 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-06 16:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-06 16:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 16:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 14:02 0 a------- c:\windows\[INI]
2008-12-06 13:43 18,017 a------- C:\initemp.dat
2008-12-06 13:41 <DIR> --d----- c:\program files\SatelliteTVforPC
2008-12-06 13:39 <DIR> --d----- c:\windows\uninstall
2008-11-30 22:10 <DIR> --d----- c:\program files\Electric Rain
2008-11-29 10:49 933,888 a------- c:\windows\MFC40.DLL
2008-11-29 10:49 344,064 a------- c:\windows\MSVCRT40.DLL
2008-11-29 10:49 74,752 a------- c:\windows\system\msvcirt.dll
2008-11-29 10:49 72,358 a------- c:\windows\system\a4s2600.vxd

==================== Find3M ====================

2008-12-28 13:44 51,505 a------- c:\windows\system32\wacom.dat
2008-11-29 20:37 31 a------- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2008-11-18 16:17 81,984 a------- c:\windows\system32\bdod.bin
2008-11-18 15:09 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-10 21:54 164 a------- C:\install.dat
2008-11-07 11:15 2,188 a------- c:\windows\unins001.dat
2008-11-07 11:15 673,610 a------- c:\windows\unins001.exe
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2006-04-27 00:15 32 a----r-- c:\documents and settings\all users\hash.dat
2005-06-30 16:29 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 14:00:00.56 ===============

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Malwarebytes Last Scan....................................................................................

(Quick Scan)
Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/28/2008 2:42:04 PM
mbam-log-2008-12-28 (14-42-04).txt

Scan type: Quick Scan
Objects scanned: 70318
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Could it be possible that this virus/trojan only spawns itself after so many reboots? I did forget to mention that I did find a virus/trojan that was listed under my scheduled task listings a few days ago that I deleted and removed from task scheduler, I do not remember the name though.

Weird how everything is coming up as clean ( hopefully I finally kilt it) yet when I shut down my computer it takes forever when it is saving settings and every now and again McAfee's virus protection mysteriously shuts down on it's own.

Anyway heres the logs that you wanted to see. I am also running malwarebyte again in a full system scan just to be sure nothing shows up.

Edited by 232xanax232, 28 December 2008 - 07:14 PM.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#7 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 28 December 2008 - 06:27 PM

DANG IT!!!! :thumbsup:

right after posting the last post I was doing a search on google when suddenly IE shut down and in its place was an alert window that says:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
WINDOWS Internet Explorer
ATTENTION! If your computer is struck by spyware, you could suffer data loss, erratic PC Behavior, PC freezes and crashes.
Detect and remove viruses before they damage your computer!
Antivirus 2009 will preform a 100% Free and quick scan of your computer for Viruses, Spyware and Adaware.
Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

And this popped up while I was preforming a scan with Malwarebyte!!!!
Very Frustrating considering all the scans I have preformed and the ones that keep coming up clean.


Anyway, here is the last Malwarebyte scan I did, It was a Full Scan of the system which came back clean...this I don't understatnd considering how IE shut down and the Alert took it's place.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Malwarebyte Full System Scan...................................................................................................................

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/28/2008 9:01:17 PM
mbam-log-2008-12-28 (21-01-17).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 343929
Time elapsed: 2 hour(s), 32 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by 232xanax232, 28 December 2008 - 09:04 PM.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:44 PM

Posted 28 December 2008 - 09:34 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 29 December 2008 - 02:07 AM

Awesome, Thanks for helping me out....This has been an on going problem for well over a month.
Everything went well with Combofix......that is except I had believed all along that I already had Windows Recovery installed already. I guess that's because on my C drive...There is a seperate partition....D Drive which I believed was it but Combofix stated that I did not have it installed so I let it go ahead and install it.
Now it has me wondering whats on D Drive.
Anyway......Here is the combo_log

+++++++++++++++++++++++++++++++++++++++++++++++++++++
ComboFix Log .................................................................................................

ComboFix 08-12-28.01 - Administrator 2008-12-29 1:06:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.578 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\.#
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\encapi32.dll
c:\windows\system32\fenohomo.dll
c:\windows\system32\tmp.reg
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 21:16 . 2008-12-28 21:20 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2008-12-27 07:38 . 2008-12-27 07:38 <DIR> d-------- c:\program files\Realore
2008-12-24 10:11 . 2008-12-24 10:30 <DIR> d-------- c:\program files\WhatsRunning
2008-12-22 09:58 . 2008-12-28 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-22 09:57 . 2008-12-22 15:46 <DIR> d-------- c:\program files\Security Task Manager
2008-12-21 12:44 . 2008-12-21 12:51 <DIR> d-------- c:\program files\Hacker Evolution Untold
2008-12-21 11:02 . 2008-12-21 11:02 <DIR> d-------- c:\program files\Active Ports
2008-12-20 15:31 . 2008-12-20 15:31 <DIR> d-------- C:\VundoFix Backups
2008-12-20 15:10 . 2008-12-20 15:10 <DIR> d-------- C:\SpySoapBin
2008-12-20 15:10 . 2008-12-20 15:18 <DIR> d-------- c:\program files\SpySoap
2008-12-20 11:55 . 2008-12-20 11:55 <DIR> d-------- c:\program files\Trisnap Technologies
2008-12-20 11:55 . 2006-04-13 22:05 159,744 --a------ c:\windows\system32\hasher.dll
2008-12-20 02:52 . 2008-12-20 02:52 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-20 02:52 . 2008-12-20 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-20 02:52 . 2008-12-20 02:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-18 17:05 . 2008-12-18 17:05 <DIR> d-------- c:\program files\Wondershare
2008-12-18 07:39 . 2008-12-18 07:39 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-12-17 16:22 . 2008-12-21 13:07 <DIR> d-------- C:\SDFix
2008-12-17 09:40 . 2008-12-17 09:40 2,713 ---hs---- c:\windows\system32\sapawoma.exe
2008-12-17 00:12 . 2008-12-17 00:12 2,713 ---hs---- c:\windows\system32\fofugapi.exe
2008-12-16 18:04 . 2008-12-17 21:05 <DIR> d-------- c:\program files\XoftSpySE
2008-12-11 08:29 . 2008-12-11 08:29 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-10 14:20 . 2008-12-10 14:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Eltima Software
2008-12-10 14:19 . 2008-12-10 14:19 <DIR> d-------- c:\program files\Eltima Software
2008-12-10 14:19 . 2007-12-02 14:13 40,960 --a------ c:\windows\wavdest.ax
2008-12-07 05:33 . 2008-12-07 05:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-07 05:22 . 2007-02-20 16:04 2,463,976 --a------ c:\windows\system32\NPSWF32.dll
2008-12-07 05:22 . 2007-02-20 16:04 190,696 --a------ c:\windows\system32\NPSWF32_FlashUtil.exe
2008-12-07 05:05 . 2008-12-07 05:05 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-06 16:17 . 2008-12-06 16:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 16:17 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 16:17 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 14:02 . 2008-12-06 14:02 0 --a------ c:\windows\[INI]
2008-12-06 13:43 . 2008-12-06 13:49 18,017 --a------ C:\initemp.dat
2008-12-06 13:41 . 2008-12-06 13:41 <DIR> d-------- c:\program files\SatelliteTVforPC
2008-12-06 13:39 . 2008-12-06 14:02 <DIR> d-------- c:\windows\uninstall
2008-11-30 22:10 . 2008-11-30 22:10 <DIR> d-------- c:\program files\Electric Rain
2008-11-29 10:49 . 1998-06-18 20:01 933,888 --a------ c:\windows\MFC40.DLL
2008-11-29 10:49 . 1998-06-18 20:01 344,064 --a------ c:\windows\MSVCRT40.DLL
2008-11-29 10:49 . 1996-06-14 19:50 74,752 --a------ c:\windows\system\msvcirt.dll
2008-11-29 10:49 . 1998-07-01 12:29 72,358 --a------ c:\windows\system\a4s2600.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 00:20 --------- d-----w c:\program files\DivX
2008-12-20 07:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 22:58 --------- d-----w c:\program files\SpywareGuard
2008-12-16 01:54 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-14 20:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-11 13:28 --------- d-----w c:\program files\Real
2008-12-08 17:36 --------- d-----w c:\program files\ieSpell
2008-12-07 20:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 19:59 --------- d-----w c:\program files\Common Files\Adobe
2008-11-30 03:04 --------- d-----w c:\program files\SwiftKit
2008-11-30 01:37 31 ----a-w c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2008-11-27 13:42 --------- d-----w c:\program files\Intelore
2008-11-27 04:48 --------- d-----w c:\program files\MagicDisc
2008-11-26 04:36 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-11-26 04:32 --------- d-----w c:\program files\AutoCAD 2002
2008-11-26 04:27 --------- d-----w c:\program files\Coral Reef 3D Screensaver
2008-11-26 04:27 --------- d-----w c:\program files\Bubble Shooter Premium Edition
2008-11-25 20:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Download Manager
2008-11-25 14:03 --------- d-----w c:\program files\Common Files\Apple
2008-11-24 15:20 --------- d-----w c:\program files\iTunes
2008-11-24 15:20 --------- d-----w c:\program files\iPod
2008-11-24 15:20 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 15:17 --------- d-----w c:\program files\QuickTime
2008-11-24 15:17 --------- d-----w c:\program files\Bonjour
2008-11-24 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-23 00:38 --------- d-----w c:\program files\Driver Magician
2008-11-23 00:36 --------- d-----w c:\program files\Panda Security
2008-11-22 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-21 04:50 --------- d--h--w c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-21 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-20 19:43 --------- d-----w c:\program files\SpywareBlaster
2008-11-20 05:11 --------- d-----w c:\program files\Lantern 3D Screensaver
2008-11-19 15:05 --------- d-----w c:\program files\hjsplit
2008-11-19 03:24 --------- d-----w c:\documents and settings\Administrator\Application Data\GlarySoft
2008-11-18 21:18 --------- d-----w c:\program files\Common Files\Softwin
2008-11-18 20:43 --------- d-----w c:\documents and settings\Administrator\Application Data\funkitron
2008-11-18 20:09 --------- d-----w c:\program files\Java
2008-11-17 09:11 --------- d-----w c:\program files\RogueRemover FREE
2008-11-16 22:11 --------- d-----w c:\program files\HP
2008-11-16 22:09 --------- d-----w c:\program files\Symantec
2008-11-16 22:09 --------- d-----w c:\documents and settings\Administrator\Application Data\Symantec
2008-11-16 22:06 --------- d-----w c:\program files\The One Ring 3D Screensaver
2008-11-16 22:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-14 09:29 --------- d-----w c:\program files\Glary Registry Repair
2008-11-14 09:08 --------- d-----w c:\program files\roguescanfix
2008-11-13 11:08 --------- d-----w c:\program files\Ghost Hunter
2008-11-12 19:54 --------- d-----w c:\program files\Alwil Software
2008-11-12 16:55 --------- d-----w c:\program files\Sophos
2008-11-11 14:43 --------- d-----w c:\program files\AVG
2008-11-11 10:12 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-11 05:31 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-11 05:30 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2008-11-11 03:39 --------- d-----w c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-11 03:39 --------- d-----w c:\documents and settings\Administrator\Application Data\Simply Super Software
2008-11-11 02:54 164 ----a-w C:\install.dat
2008-11-11 00:01 --------- d-----w c:\program files\ICQ
2008-11-10 23:57 --------- d-----w c:\program files\Google
2008-11-10 22:21 --------- d-----w c:\program files\Trend Micro
2008-11-10 18:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 13:48 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-10 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 16:47 --------- d-----w c:\program files\SourceTec
2008-11-07 16:15 673,610 ----a-w c:\windows\unins001.exe
2008-11-07 16:15 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-07 02:02 --------- d-----w c:\program files\WinUtilities
2008-11-07 02:01 --------- d-----w c:\program files\Smart CD Catalog PRO
2008-11-06 01:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-10-31 01:06 --------- d-----w c:\program files\Winamp
2006-04-27 05:15 32 ----a-r c:\documents and settings\All Users\hash.dat
2005-06-30 21:29 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 286,720 2007-11-13 12:22:29 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 1,415,824 2005-05-31 05:04:00 c:\program files\Spybot - Search & Destroy\bak\TeaTimer.exe
--sha-r 1,833,296 2008-09-16 17:16:08 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

----a-w 155,648 2001-07-09 15:50:42 c:\windows\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D99D8C80-287F-4E53-AB64-B2225DB42F83}]
2006-05-24 16:06 237568 --a------ c:\program files\They're Alive!\TheyreAlive.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Mea\mbam.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]
"CARPService"="carpserv.exe" [2001-12-23 c:\windows\system32\carpserv.exe]
"NvMediaCenter"="NvMCTray.dll" [2003-07-28 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-04-09 113664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-11-26 575488]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-05-06 25214]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-04-17 118784]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2003-12-19 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"SENTINEL"= snti386.dll
"VIDC.NTN1"= NUVision.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"avast!"=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
"BDMCon"="c:\program files\Softwin\BitDefender10\bdmcon.exe" /reg
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 bbcap;bbcap;c:\windows\system32\DRIVERS\bbcap.sys [2007-02-20 2944]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 03eE;03eE;\??\c:\windows\system32\03eE.sys []
S3 04c8;04c8;\??\c:\windows\system32\04c8.sys []
S3 38c12;38c12;\??\c:\windows\system32\38c12.sys []
S3 5b615;5b615;\??\c:\windows\system32\5b615.sys []
S3 71c5;71c5;\??\c:\windows\system32\71c5.sys []
S3 830C;830C;\??\c:\windows\system32\830C.sys []
S3 9cfD;9cfD;\??\c:\windows\system32\9cfD.sys []
S3 b9916;b9916;\??\c:\windows\system32\b9916.sys []
S3 ba49;ba49;\??\c:\windows\system32\ba49.sys []
S3 bae6;bae6;\??\c:\windows\system32\bae6.sys []
S3 bcf11;bcf11;\??\c:\windows\system32\bcf11.sys []
S3 c124;c124;\??\c:\windows\system32\c124.sys []
S3 d89A;d89A;\??\c:\windows\system32\d89A.sys []
S3 eb710;eb710;\??\c:\windows\system32\eb710.sys []
S3 f4714;f4714;\??\c:\windows\system32\f4714.sys []
S3 NUVision;NUVision II Video Service;c:\windows\system32\DRIVERS\nuvvid2.sys [2008-08-07 153760]
S3 PORTMON;PORTMON;\??\c:\documents and settings\Administrator\Desktop\error 1058 cure\System Tools\PortMon\PORTMSYS.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1330b9cb-6ed6-11dd-a179-004063c1dc25}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-12-28 c:\windows\Tasks\User_Feed_Synchronization-{D221CB62-48C5-47C9-87F5-7E91DE622B84}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3236FF08-D1F3-4020-AD8D-4012C8EAF98E} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wzzm13.com/
mStart Page = hxxp://www.wzzm13.com/
mSearch Bar = hxxp://www.google.com/ie
mWindow Title = Smile God the Universe Loves You
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &eBay Search
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: Explore with &Instant Source
IE: ImTranslator
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Save Flash by &GetFlash
IE: Sothink SWF Catcher
IE: {{8BD5271D-69C9-4467-882D-5139952D7754} - {3DC8D6D6-AFF0-45CC-A847-E5012F60BA57} - c:\program files\Instant Source\isrc.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

O16 -: {352797A0-EFD0-4FA6-B229-145120EA4B8A}

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf

O16 -: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

O16 -: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}

O16 -: {EF148DBB-5B6D-4130-B2A1-661571E86260}
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 01:14:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\progra~1\TRISNA~1\SSI\SYSENF~1.EXE
c:\windows\system32\Tablet.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-29 1:32:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 06:31:33

Pre-Run: 7,637,315,584 bytes free
Post-Run: 7,999,217,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

353 --- E O F --- 2008-12-26 09:20:33

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:44 PM

Posted 29 December 2008 - 08:23 AM

I would like for you to submit some files for me to analyze.

I will need to you show hidden files\folders so we can find the files.
To Set:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
Now: using Windows Explorer (to get there right-click your Start button and go to "Explore")
Then navigate to these locations and upload the following files.

c:\windows\system32\sapawoma.exe
c:\windows\system32\fofugapi.exe



Click Here to upload the files please.
==========================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\sapawoma.exe
c:\windows\system32\fofugapi.exe


AWF::
C:\program files\QuickTime\bak\qttask.exe
c:\program files\Spybot - Search & Destroy\bak\TeaTimer.exe
c:\windows\system32\bak\NeroCheck.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 29 December 2008 - 10:40 AM

Duh!!! :thumbsup: Ya know, I couldn't find those buggers because I kept forgetting to uncheck the protected operating system files, I had even once clicked it and then decided not to at the last minute awhile back ( my wife sometimes jumps on my comp and I didn't want to take a chance that she might click on a file that she wasn't suppose too...better safe then sorry )....I just thought that they were deleted in a scan. I'm glad to see that system32\tmp.reg or fenohomo.dll were deleted by combofix.

One other thing....during the night, McAfee ran a scheduled scan, which I had forgotten all about.... it runs on Sunday nights, I apologize for it running as I know that having such things occur while receiving help can mess things up, It came up with 3 items with one of interest....these items were:
+++++++++++++++++++++++++++++++++++++++++++
McAfee Scan Results...........................................
Item Name - Tool-NirCmd - File Name: C:\System Volume Information\_restore{9A28382A-D3EB-4765-8EC2-D4B660C905C7}\RP2\A0000086.COM

The other two were from scanner programs...ComboFix.exe and SmitfraudFix.exe.
So Being that the one is in the restore point I left them alone and followed your instructions, if you want me to let McAfee delete the one or if you want me to clear the restore point let me know, in the mean-time, Here is what you requested and thanks again for helping me during the Holidays....Oh and by the way I Hope you had a Merry X-mas.

I also Uploaded those files as requested.


---------------------------------------------------------------------------------------------------------


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ComboFix.Log.......................................................

ComboFix 08-12-28.01 - Administrator 2008-12-29 9:45:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

FILE ::
c:\windows\system32\fofugapi.exe
c:\windows\system32\sapawoma.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fofugapi.exe
c:\windows\system32\sapawoma.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-29 03:22 . 2008-12-29 03:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Moyea
2008-12-29 03:21 . 2008-12-29 03:21 <DIR> d-------- c:\program files\Moyea
2008-12-29 02:38 . 2008-12-29 02:40 <DIR> d-------- c:\program files\Hacker Evolution
2008-12-28 21:16 . 2008-12-28 21:20 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2008-12-27 07:38 . 2008-12-27 07:38 <DIR> d-------- c:\program files\Realore
2008-12-24 10:11 . 2008-12-24 10:30 <DIR> d-------- c:\program files\WhatsRunning
2008-12-22 09:58 . 2008-12-28 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-22 09:57 . 2008-12-22 15:46 <DIR> d-------- c:\program files\Security Task Manager
2008-12-21 12:44 . 2008-12-21 12:51 <DIR> d-------- c:\program files\Hacker Evolution Untold
2008-12-21 11:02 . 2008-12-21 11:02 <DIR> d-------- c:\program files\Active Ports
2008-12-20 15:31 . 2008-12-20 15:31 <DIR> d-------- C:\VundoFix Backups
2008-12-20 15:10 . 2008-12-20 15:10 <DIR> d-------- C:\SpySoapBin
2008-12-20 15:10 . 2008-12-20 15:18 <DIR> d-------- c:\program files\SpySoap
2008-12-20 11:55 . 2008-12-20 11:55 <DIR> d-------- c:\program files\Trisnap Technologies
2008-12-20 11:55 . 2006-04-13 22:05 159,744 --a------ c:\windows\system32\hasher.dll
2008-12-20 02:52 . 2008-12-29 01:38 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-20 02:52 . 2008-12-20 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-20 02:52 . 2008-12-20 02:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-18 17:05 . 2008-12-18 17:05 <DIR> d-------- c:\program files\Wondershare
2008-12-18 07:39 . 2008-12-18 07:39 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-12-17 16:22 . 2008-12-21 13:07 <DIR> d-------- C:\SDFix
2008-12-16 18:04 . 2008-12-17 21:05 <DIR> d-------- c:\program files\XoftSpySE
2008-12-11 08:29 . 2008-12-11 08:29 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-10 14:20 . 2008-12-10 14:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Eltima Software
2008-12-10 14:19 . 2008-12-10 14:19 <DIR> d-------- c:\program files\Eltima Software
2008-12-10 14:19 . 2007-12-02 14:13 40,960 --a------ c:\windows\wavdest.ax
2008-12-07 05:33 . 2008-12-07 05:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-07 05:22 . 2007-02-20 16:04 2,463,976 --a------ c:\windows\system32\NPSWF32.dll
2008-12-07 05:22 . 2007-02-20 16:04 190,696 --a------ c:\windows\system32\NPSWF32_FlashUtil.exe
2008-12-07 05:05 . 2008-12-07 05:05 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-06 16:17 . 2008-12-06 16:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 16:17 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 16:17 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 14:02 . 2008-12-06 14:02 0 --a------ c:\windows\[INI]
2008-12-06 13:43 . 2008-12-06 13:49 18,017 --a------ C:\initemp.dat
2008-12-06 13:41 . 2008-12-06 13:41 <DIR> d-------- c:\program files\SatelliteTVforPC
2008-12-06 13:39 . 2008-12-06 14:02 <DIR> d-------- c:\windows\uninstall
2008-11-30 22:10 . 2008-11-30 22:10 <DIR> d-------- c:\program files\Electric Rain
2008-11-29 10:49 . 1998-06-18 20:01 933,888 --a------ c:\windows\MFC40.DLL
2008-11-29 10:49 . 1998-06-18 20:01 344,064 --a------ c:\windows\MSVCRT40.DLL
2008-11-29 10:49 . 1996-06-14 19:50 74,752 --a------ c:\windows\system\msvcirt.dll
2008-11-29 10:49 . 1998-07-01 12:29 72,358 --a------ c:\windows\system\a4s2600.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 14:57 --------- d-----w c:\program files\QuickTime
2008-12-29 14:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 06:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-29 06:48 --------- d-----w c:\program files\SpywareBlaster
2008-12-29 06:38 --------- d-----w c:\program files\SpywareGuard
2008-12-29 00:20 --------- d-----w c:\program files\DivX
2008-12-20 07:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 01:54 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-11 13:28 --------- d-----w c:\program files\Real
2008-12-08 17:36 --------- d-----w c:\program files\ieSpell
2008-12-07 20:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 19:59 --------- d-----w c:\program files\Common Files\Adobe
2008-11-30 03:04 --------- d-----w c:\program files\SwiftKit
2008-11-30 01:37 31 ----a-w c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2008-11-27 13:42 --------- d-----w c:\program files\Intelore
2008-11-27 04:48 --------- d-----w c:\program files\MagicDisc
2008-11-26 04:36 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-11-26 04:32 --------- d-----w c:\program files\AutoCAD 2002
2008-11-26 04:27 --------- d-----w c:\program files\Coral Reef 3D Screensaver
2008-11-26 04:27 --------- d-----w c:\program files\Bubble Shooter Premium Edition
2008-11-25 20:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Download Manager
2008-11-25 14:03 --------- d-----w c:\program files\Common Files\Apple
2008-11-24 15:20 --------- d-----w c:\program files\iTunes
2008-11-24 15:20 --------- d-----w c:\program files\iPod
2008-11-24 15:20 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 15:17 --------- d-----w c:\program files\Bonjour
2008-11-24 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-23 00:38 --------- d-----w c:\program files\Driver Magician
2008-11-23 00:36 --------- d-----w c:\program files\Panda Security
2008-11-22 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-21 04:50 --------- d--h--w c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-21 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-20 05:11 --------- d-----w c:\program files\Lantern 3D Screensaver
2008-11-19 15:05 --------- d-----w c:\program files\hjsplit
2008-11-19 03:24 --------- d-----w c:\documents and settings\Administrator\Application Data\GlarySoft
2008-11-18 21:18 --------- d-----w c:\program files\Common Files\Softwin
2008-11-18 21:17 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-18 20:43 --------- d-----w c:\documents and settings\Administrator\Application Data\funkitron
2008-11-18 20:09 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-18 20:09 --------- d-----w c:\program files\Java
2008-11-17 09:11 --------- d-----w c:\program files\RogueRemover FREE
2008-11-16 22:11 --------- d-----w c:\program files\HP
2008-11-16 22:09 --------- d-----w c:\program files\Symantec
2008-11-16 22:09 --------- d-----w c:\documents and settings\Administrator\Application Data\Symantec
2008-11-16 22:06 --------- d-----w c:\program files\The One Ring 3D Screensaver
2008-11-16 22:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-14 09:29 --------- d-----w c:\program files\Glary Registry Repair
2008-11-14 09:08 --------- d-----w c:\program files\roguescanfix
2008-11-13 11:08 --------- d-----w c:\program files\Ghost Hunter
2008-11-12 19:54 --------- d-----w c:\program files\Alwil Software
2008-11-12 16:55 --------- d-----w c:\program files\Sophos
2008-11-11 14:43 --------- d-----w c:\program files\AVG
2008-11-11 10:12 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-11 05:31 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-11 05:30 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2008-11-11 03:39 --------- d-----w c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-11 03:39 --------- d-----w c:\documents and settings\Administrator\Application Data\Simply Super Software
2008-11-11 02:54 164 ----a-w C:\install.dat
2008-11-11 00:01 --------- d-----w c:\program files\ICQ
2008-11-10 23:57 --------- d-----w c:\program files\Google
2008-11-10 22:21 --------- d-----w c:\program files\Trend Micro
2008-11-10 13:48 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-10 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 16:47 --------- d-----w c:\program files\SourceTec
2008-11-07 16:15 673,610 ----a-w c:\windows\unins001.exe
2008-11-07 16:15 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-07 02:02 --------- d-----w c:\program files\WinUtilities
2008-11-07 02:01 --------- d-----w c:\program files\Smart CD Catalog PRO
2008-11-06 01:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-10-31 01:06 --------- d-----w c:\program files\Winamp
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2006-04-27 05:15 32 ----a-r c:\documents and settings\All Users\hash.dat
2005-06-30 21:29 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-29_ 1.24.19.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-29 06:07:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-29 10:19:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-29 06:07:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-29 10:19:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2001-07-09 15:50:42 155,648 ----a-w c:\windows\system32\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D99D8C80-287F-4E53-AB64-B2225DB42F83}]
2006-05-24 16:06 237568 --a------ c:\program files\They're Alive!\TheyreAlive.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-13 286720]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]
"CARPService"="carpserv.exe" [2001-12-23 c:\windows\system32\carpserv.exe]
"NvMediaCenter"="NvMCTray.dll" [2003-07-28 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-04-09 113664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-11-26 575488]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-05-06 25214]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-04-17 118784]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2003-12-19 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"SENTINEL"= snti386.dll
"VIDC.NTN1"= NUVision.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"avast!"=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
"BDMCon"="c:\program files\Softwin\BitDefender10\bdmcon.exe" /reg
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 bbcap;bbcap;c:\windows\system32\DRIVERS\bbcap.sys [2007-02-20 2944]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 03eE;03eE;\??\c:\windows\system32\03eE.sys []
S3 04c8;04c8;\??\c:\windows\system32\04c8.sys []
S3 38c12;38c12;\??\c:\windows\system32\38c12.sys []
S3 5b615;5b615;\??\c:\windows\system32\5b615.sys []
S3 71c5;71c5;\??\c:\windows\system32\71c5.sys []
S3 830C;830C;\??\c:\windows\system32\830C.sys []
S3 9cfD;9cfD;\??\c:\windows\system32\9cfD.sys []
S3 b9916;b9916;\??\c:\windows\system32\b9916.sys []
S3 ba49;ba49;\??\c:\windows\system32\ba49.sys []
S3 bae6;bae6;\??\c:\windows\system32\bae6.sys []
S3 bcf11;bcf11;\??\c:\windows\system32\bcf11.sys []
S3 c124;c124;\??\c:\windows\system32\c124.sys []
S3 d89A;d89A;\??\c:\windows\system32\d89A.sys []
S3 eb710;eb710;\??\c:\windows\system32\eb710.sys []
S3 f4714;f4714;\??\c:\windows\system32\f4714.sys []
S3 NUVision;NUVision II Video Service;c:\windows\system32\DRIVERS\nuvvid2.sys [2008-08-07 153760]
S3 PORTMON;PORTMON;\??\c:\documents and settings\Administrator\Desktop\error 1058 cure\System Tools\PortMon\PORTMSYS.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1330b9cb-6ed6-11dd-a179-004063c1dc25}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-12-28 c:\windows\Tasks\User_Feed_Synchronization-{D221CB62-48C5-47C9-87F5-7E91DE622B84}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Mea\mbam.exe
Notify-iifgHxXp - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wzzm13.com/
mStart Page = hxxp://www.wzzm13.com/
mSearch Bar = hxxp://www.google.com/ie
mWindow Title = Smile God the Universe Loves You
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &eBay Search
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: Explore with &Instant Source
IE: ImTranslator
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Save Flash by &GetFlash
IE: Sothink SWF Catcher
IE: {{8BD5271D-69C9-4467-882D-5139952D7754} - {3DC8D6D6-AFF0-45CC-A847-E5012F60BA57} - c:\program files\Instant Source\isrc.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

O16 -: {352797A0-EFD0-4FA6-B229-145120EA4B8A}

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf

O16 -: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

O16 -: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}

O16 -: {EF148DBB-5B6D-4130-B2A1-661571E86260}

O16 -: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 09:57:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-29 10:04:35
ComboFix-quarantined-files.txt 2008-12-29 15:03:17
ComboFix2.txt 2008-12-29 06:32:42

Pre-Run: 7,700,447,232 bytes free
Post-Run: 7,705,812,992 bytes free

337 --- E O F --- 2008-12-26 09:20:33

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HiJackThis.Log................................................................................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:33 AM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 13657 bytes

Edited by 232xanax232, 29 December 2008 - 11:18 AM.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#12 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 29 December 2008 - 12:58 PM

McAfee keeps buggin me about the Tool-NirCmd in the System Volume Information\ Restore Point that ComboFix created the first time I ran it before you had me delete the last couple of files, is it ok to let McAfee Delete this file????? Or should I just go into system restore and stop monitoring it and then in desk cleanup and have it remove the restore points???
I should let ya know that McAfee's alert box will not stay shut, it keeps popping up everytime I close the box...It's waiting for a decision....I just don't want to do something that may change your Method of operation against this beast we are fighting, and may I say a fine job your doing at that.

I sure dont want the buggers getting out and spreading themselves around on the computer again.

3:00 UPDATE.....I wound up stopping monitoring at the restore point, and cleared all the restore points, I then rebooted and Started monitoring again and created a new restore point....just to let ya know

Edited by 232xanax232, 29 December 2008 - 02:55 PM.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:44 PM

Posted 29 December 2008 - 07:37 PM

Sorry had to work couldn't reply until now.

Yes nircmd is a file that Combofix uses not a problem in deleting it we shouldn't be needing Combofix anymore.
===================================
How are things running now?
Any remaoining issues?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 232xanax232

232xanax232
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 29 December 2008 - 10:54 PM

So far everything seems to be running smoothly, I started a Kaspersky scan a few hours ago to see if it finds anything.
I knew that there had to be a couple of hidden files in there somewhere.
It' just like that a.exe file, it came out of nowhere, I deleted it and things were quite, then it just appeared quite some time later out of the blue and did this to my system.

It wouldn't be bad if I had been dealing with just one infection.....as soon as this thing got it's foot in the door, it made connections to the outside world and ran full bore downloading everything it could on my system.

Although this is how things were when Panda helped me out , Everything was running like a champ and everything was showing green. Then a.exe showed up.

I burnt some DVDs during that time..do you think it could be hidden on some of the disc's? They were videos tuts so it woiuld have to be a hidden file.
I got this bugger from visiting a link off a Graphics forum, it was in an iframe...goofball me, I had just changed my ActiveX setting because I thought the site was safe and I was tired of clicking the info-bar. I notified the guy who's site the link was on but he deleted the link before I could get the Addy from it.

I'm going through and deleting all the virus/trojans that are in quarantine in my scanners, I sent a bunch in, I have never ever been compromised such as this one, nasty butt black hatters.

Do you happen to know a site that lists what setting you should have on your Internet security properties?? Most of my stuff has wound up being reset to default or worse.

So How did everything look in the logs? I hope we got everything, like they say...that which is hidden shall be revealed, I hope that's the case this time around.

Well the results are in on the Kaspersky scan.....clean, but that's what it said when I had those files that needed deleting.
I'll restart the computer a few times because that seemed to have something to it's respawning, it must load in some deep files.......Anyway Heres the results to the scan. Let me know if you see anything with all the latest logs I sent ya.

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:44 PM

Posted 29 December 2008 - 11:56 PM

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

c:\windows\system32\03eE.sys
c:\windows\system32\04c8.sys
c:\windows\system32\eb710.sys
c:\windows\system32\f4714.sys

Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users