Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Spyware Guard 2008


  • This topic is locked This topic is locked
4 replies to this topic

#1 andrewch783

andrewch783

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 23 December 2008 - 01:16 PM

Hey guys. I'm pretty sure I got a fake spyware guard among a few other things. I downloaded something and tried to install it and it got put on my computer. All of my search results that I click on from Google get redirected to some other search engine. I also cannot open firefox and my computer typically blue screens and restarts after about five or ten minutes of being logged on. Any help would be great.
Thanks
Andrew

Logfile of random's system information tool 1.05 (written by random/random)
Run by Andrew at 2008-12-23 12:16:01
Microsoft® Windows Vistaâ„¢ Ultimate Service Pack 1
System drive C: has 151 GB (66%) free of 228 GB
Total RAM: 3062 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:04 PM, on 12/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Andrew\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Andrew.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunServices: [Windows Service Processor] lssa.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Lsass Service] C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe
O4 - HKCU\..\Run: [Adobe System Update] C:\Users\Andrew\AppData\Local\Temp\IXP002.TMP\Adobe_Update.exe
O4 - HKCU\..\Run: [Java Runtime Update] C:\Users\Andrew\AppData\Local\Temp\IXP002.TMP\Java Update.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 5900 bytes

======Scheduled tasks folder======

C:\Windows\tasks\jwvbrhbz.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-07-28 2549368]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"ECenter"=C:\Dell\E-Center\EULALauncher.exe [2008-02-28 17920]
"Apoint"=C:\Program Files\DellTPad\Apoint.exe [2008-02-21 159744]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-02-21 4907008]
"Broadcom Wireless Manager UI"=C:\Windows\system32\WLTRAY.exe [2008-05-16 3444736]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-07-29 150040]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-07-29 178712]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-07-29 154136]
"XboxStat"=C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [2007-09-26 734264]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-23 68856]
"Lsass Service"=C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe [2008-12-22 66560]
"Adobe System Update"=C:\Users\Andrew\AppData\Local\Temp\IXP002.TMP\Adobe_Update.exe []
"Java Runtime Update"=C:\Users\Andrew\AppData\Local\Temp\IXP002.TMP\Java Update.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
C:\Program Files\GameSpy\Comrade\Comrade.exe [2007-06-29 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gadcom]
C:\Users\Andrew\AppData\Roaming\gadcom\gadcom.exe [2008-12-22 56832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-23 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnskdfmf9eldfd]
C:\Users\Andrew\AppData\Local\Temp\csrssc.exe [2008-12-22 22017]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9jfj0eg9q]
C:\Windows\system32\lphc9jfj0eg9q.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Users\Andrew\AppData\Local\Temp\geBuTjGV.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSMSGS]
winpfp32.rom []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\s9201]
C:\ProgramData\Secure Solutions\Antispyware 2008 XP\as2008xp.exe [2008-08-12 1234432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-23 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Processor]
C:\Windows\system32\lssa.exe [2008-10-29 62989]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]
C:\Windows\system32\Updater.exe [2008-12-22 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xsjfn83jkemfofght]
C:\Users\Andrew\AppData\Local\Temp\winlogin.exe [2008-12-22 15000]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-07-29 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"﫤wx@3w"="﫤wx@3w:*:Enabled:Windows Service Processor"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0724b248-6845-11dd-9de8-0021709f0803}]
shell\AutoRun\command - G:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf9666ab-d083-11dd-b148-0021709f0803}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d25350a6-bfe2-11dd-87db-0021709f0803}]
shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e89cae6d-bf36-11dd-a94c-0021709f0803}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e89cafa3-bf36-11dd-a94c-0021709f0803}]
shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed7e80da-67f1-11dd-9352-9f5695fe8617}]
shell\AutoRun\command - F:\SETUP.EXE


======List of files/folders created in the last 1 months======

2008-12-22 18:24:04 ----D---- C:\rsit
2008-12-22 16:42:52 ----A---- C:\Windows\system32\sn.txt
2008-12-22 16:42:52 ----A---- C:\Windows\search.yahoo.com-error.html
2008-12-22 16:42:50 ----A---- C:\Windows\live.com-error.html
2008-12-22 16:42:48 ----A---- C:\Windows\google.com-error.html
2008-12-22 16:42:46 ----A---- C:\Windows\gmail.com-error.html
2008-12-22 16:42:42 ----A---- C:\Windows\aol.com-error.html
2008-12-22 16:42:32 ----D---- C:\Users\Andrew\AppData\Roaming\gadcom
2008-12-22 16:42:32 ----A---- C:\Windows\system32\other.txt
2008-12-22 16:42:30 ----A---- C:\Windows\system32\finance.txt
2008-12-22 16:42:27 ----A---- C:\Windows\system32\pharma.txt
2008-12-22 16:42:24 ----A---- C:\Windows\system32\adult.txt
2008-12-22 16:42:22 ----A---- C:\Windows\system32\winscenter.exe
2008-12-22 16:42:21 ----A---- C:\Windows\vmreg.dll
2008-12-22 16:42:21 ----A---- C:\Windows\sysexplorer.exe
2008-12-22 16:42:21 ----A---- C:\Windows\syscert.exe
2008-12-22 16:42:21 ----A---- C:\Windows\sys.com
2008-12-22 16:42:21 ----A---- C:\Windows\spoolsystem.exe
2008-12-22 16:42:21 ----A---- C:\Windows\reged.exe
2008-12-22 16:42:19 ----A---- C:\eoscmb.exe
2008-12-22 16:42:13 ----A---- C:\iuuksh.exe
2008-12-22 16:42:09 ----A---- C:\Windows\system32\sxmg4.dll
2008-12-22 16:42:00 ----D---- C:\ProgramData\CrucialSoft Ltd
2008-12-22 16:42:00 ----A---- C:\Windows\system32\Updater.exe
2008-12-22 16:42:00 ----A---- C:\ProgramData\svhost.exe
2008-12-22 16:41:59 ----A---- C:\fogdhay.exe
2008-12-22 16:41:56 ----RSHD---- C:\resycled
2008-12-22 16:41:48 ----A---- C:\Windows\system32\jkse73hedfdgf.dll
2008-12-18 03:00:37 ----A---- C:\Windows\system32\mshtml.dll
2008-12-11 03:02:38 ----A---- C:\Windows\system32\tzres.dll
2008-12-10 23:38:22 ----A---- C:\Windows\system32\gdi32.dll
2008-12-10 23:38:18 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-12-10 23:38:18 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-10 23:38:14 ----A---- C:\Windows\system32\wininet.dll
2008-12-10 23:38:14 ----A---- C:\Windows\system32\urlmon.dll
2008-12-10 23:38:14 ----A---- C:\Windows\system32\ieframe.dll
2008-12-10 23:38:13 ----A---- C:\Windows\system32\mstime.dll
2008-12-10 23:38:13 ----A---- C:\Windows\system32\jsproxy.dll
2008-12-10 23:38:13 ----A---- C:\Windows\system32\iertutil.dll
2008-12-10 23:38:11 ----RSH---- C:\Windows\system32\lssa.exe
2008-12-10 23:38:11 ----A---- C:\Windows\explorer.exe
2008-12-10 23:38:08 ----A---- C:\Windows\system32\shell32.dll
2008-12-10 23:38:04 ----A---- C:\Windows\system32\mf.dll
2008-12-10 23:38:03 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-10 23:38:03 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-10 23:38:03 ----A---- C:\Windows\system32\logagent.exe
2008-12-10 20:42:59 ----D---- C:\Windows\Sun
2008-12-10 20:14:28 ----A---- C:\Windows\system32\unrar.dll
2008-12-10 20:14:28 ----A---- C:\Windows\system32\rmoc3260.dll
2008-12-10 20:14:28 ----A---- C:\Windows\system32\pndx5032.dll
2008-12-10 20:14:28 ----A---- C:\Windows\system32\pndx5016.dll
2008-12-10 20:14:28 ----A---- C:\Windows\system32\pncrt.dll
2008-12-10 20:14:28 ----A---- C:\Windows\avisplitter.ini
2008-12-10 20:14:27 ----A---- C:\Windows\system32\yv12vfw.dll
2008-12-10 20:14:27 ----A---- C:\Windows\system32\huffyuv.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\xvidvfw.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\xvidcore.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\x264vfw.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\vp7vfw.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\vp6vfw.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\qt-dx331.dll
2008-12-10 20:14:26 ----A---- C:\Windows\system32\dpl100.dll
2008-12-10 20:14:25 ----A---- C:\Windows\system32\divx.dll
2008-12-10 20:14:24 ----A---- C:\Windows\system32\ff_vfw.dll.manifest
2008-12-10 20:14:24 ----A---- C:\Windows\system32\ff_vfw.dll
2008-12-10 20:14:23 ----D---- C:\Users\Andrew\AppData\Roaming\Real
2008-12-10 20:14:23 ----D---- C:\ProgramData\Real
2008-12-10 20:14:23 ----D---- C:\Program Files\K-Lite Codec Pack
2008-12-05 14:03:29 ----D---- C:\.jagex_cache_32
2008-12-02 02:58:29 ----D---- C:\Program Files\MSXML 4.0
2008-11-30 21:32:36 ----D---- C:\ProgramData\WEBREG
2008-11-30 21:30:51 ----D---- C:\Users\Andrew\AppData\Roaming\HP
2008-11-30 21:28:12 ----D---- C:\ProgramData\HPSSUPPLY
2008-11-30 21:27:58 ----D---- C:\Program Files\Common Files\HP
2008-11-30 21:27:41 ----D---- C:\Program Files\Hewlett-Packard
2008-11-30 21:27:31 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2008-11-30 19:20:48 ----D---- C:\Program Files\HP
2008-11-30 19:20:46 ----HD---- C:\Config.Msi
2008-11-25 14:12:12 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2008-11-25 14:12:08 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-25 14:12:08 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-25 14:12:08 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2008-11-25 14:12:05 ----A---- C:\Windows\system32\connect.dll
2008-11-25 13:13:55 ----D---- C:\Program Files\Microsoft Xbox 360 Accessories
2008-11-25 12:37:25 ----D---- C:\Program Files\Project64 1.6

======List of files/folders modified in the last 1 months======

2008-12-23 12:16:04 ----D---- C:\Windows\Temp
2008-12-23 12:16:04 ----D---- C:\Windows\Prefetch
2008-12-23 12:11:55 ----D---- C:\Windows\Minidump
2008-12-23 12:11:46 ----D---- C:\Windows
2008-12-23 12:04:44 ----A---- C:\Windows\ntbtlog.txt
2008-12-23 12:03:46 ----D---- C:\Program Files\Mozilla Firefox
2008-12-22 18:34:06 ----D---- C:\Windows\System32
2008-12-22 18:34:06 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-22 18:34:05 ----D---- C:\Windows\inf
2008-12-22 17:41:34 ----D---- C:\Windows\system32\drivers
2008-12-22 17:06:19 ----RD---- C:\Program Files
2008-12-22 16:43:39 ----D---- C:\Users\Andrew\AppData\Roaming\uTorrent
2008-12-22 16:42:59 ----SHD---- C:\System Volume Information
2008-12-22 16:42:35 ----D---- C:\Windows\Tasks
2008-12-22 16:42:21 ----SD---- C:\ProgramData\Microsoft
2008-12-22 16:42:00 ----HD---- C:\ProgramData
2008-12-18 03:00:55 ----D---- C:\Windows\winsxs
2008-12-18 03:00:49 ----D---- C:\Windows\system32\catroot
2008-12-18 03:00:47 ----D---- C:\Windows\system32\catroot2
2008-12-11 03:28:02 ----D---- C:\Windows\rescache
2008-12-11 03:09:59 ----D---- C:\Windows\system32\en-US
2008-12-11 03:09:59 ----D---- C:\Windows\AppPatch
2008-12-11 03:09:59 ----D---- C:\Program Files\Windows Mail
2008-12-11 03:04:55 ----SHD---- C:\Windows\Installer
2008-12-11 03:04:49 ----D---- C:\ProgramData\Microsoft Help
2008-11-30 21:59:25 ----D---- C:\ProgramData\HP
2008-11-30 21:30:43 ----A---- C:\Windows\win.ini
2008-11-30 21:27:58 ----D---- C:\Program Files\Common Files
2008-11-30 21:27:48 ----D---- C:\Windows\twain_32
2008-11-25 12:37:27 ----SD---- C:\Users\Andrew\AppData\Roaming\Microsoft
2008-11-24 23:11:07 ----D---- C:\Program Files\Common Files\InstallShield

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2008-07-19 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-20 350720]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 51280]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\Windows\system32\DRIVERS\Apfiltr.sys [2008-02-21 155136]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2008-05-16 1044984]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-07-29 2457088]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-02-21 2054872]
R3 O2MDRDR;O2MDRDR; C:\Windows\system32\DRIVERS\o2media.sys [2008-02-21 48472]
R3 O2SDRDR;O2SDRDR; C:\Windows\system32\DRIVERS\o2sd.sys [2008-02-21 43480]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-02-22 106496]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S3 a9jicswi;a9jicswi; C:\Windows\system32\drivers\a9jicswi.sys []
S3 BCM42RLY;BCM42RLY; C:\Windows\system32\drivers\BCM42RLY.sys []
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-20 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-20 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-20 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-20 220672]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S3 xnacc;XBOX 360 Controller For Windows Driver Service; C:\Windows\system32\DRIVERS\xnacc.sys [2008-01-20 521216]
S3 xusb21;Xbox 360 Wireless Receiver Driver Service 21; C:\Windows\system32\DRIVERS\xusb21.sys [2007-08-28 55808]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-08-12 611664]
R2 AERTFilters;Andrea RT Filters Service; C:\Windows\system32\AERTSrv.exe [2008-02-21 77824]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE [2008-05-16 24064]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-01-20 33800]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-20 523776]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-23 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-23 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-20 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-20 917504]
S4 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2008-10-15 66872]

-----------------EOF-----------------

Edited by andrewch783, 24 December 2008 - 01:49 AM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 31 December 2008 - 03:03 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your issue.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your copy and download a new one. If the computer is unable to download ComboFix, use a removable media to transfer the file.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Please also include a new HijackThis or DDS log.

Give me an update on symptoms you have right now.

With Regards,
The Panda

#3 andrewch783

andrewch783
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 31 December 2008 - 05:31 PM

ComboFix 08-12-30.02 - Andrew 2008-12-31 16:07:33.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3062.1936 [GMT -6:00]
Running from: c:\users\Andrew\Desktop\ComboFix1.exe
AV: avast! antivirus 4.8.1229 [VPS 081015-0] *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\programdata\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\programdata\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\Secure Solutions
c:\programdata\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
c:\programdata\Secure Solutions\Antispyware 2008 XP\LOG\20080812020546682.log
c:\programdata\Secure Solutions\Antispyware 2008 XP\LOG\20080812024117765.log
c:\programdata\svhost.exe
C:\resycled
c:\resycled\boot.com
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\users\Andrew\AppData\Roaming\gadcom
c:\users\Andrew\AppData\Roaming\gadcom\gadcom.exe
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe
c:\windows\homepage.html
c:\windows\index.html
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\adult.txt
c:\windows\system32\drivers\msqpdxrdjnrwcn.sys
c:\windows\system32\drivers\TDSSbbcb.sys
c:\windows\system32\finance.txt
c:\windows\system32\jkse73hedfdgf.dll
c:\windows\system32\lt.res
c:\windows\system32\msqpdxvvxnxevq.dll
c:\windows\system32\other.txt
c:\windows\system32\pharma.txt
c:\windows\system32\sft.res
c:\windows\system32\sn.txt
c:\windows\system32\sxmg4.dll
c:\windows\system32\TDSScrrx.dll
c:\windows\system32\TDSSdrqx.dll
c:\windows\system32\TDSSfopt.dll
c:\windows\system32\TDSSnbcb.dat
c:\windows\system32\TDSSntlv.log
c:\windows\system32\TDSSnyfn.log
c:\windows\system32\TDSSqycx.log
c:\windows\system32\TDSSrfpp.dll
c:\windows\system32\TDSStmei.dll
c:\windows\system32\TDSSwqsc.dll
c:\windows\system32\Updater.exe
c:\windows\system32\winscenter.exe
c:\windows\vmreg.dll
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

----- BITS: Possible infected sites -----

hxxp://www.datingnoon.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Service_MSQPDXSERV.SYS
-------\Service_MSQPDXSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-22 18:24 . 2008-12-22 18:24 <DIR> d-------- C:\rsit
2008-12-22 16:42 . 2008-12-22 16:42 <DIR> d-------- c:\users\All Users\CrucialSoft Ltd
2008-12-22 16:42 . 2008-12-22 16:42 <DIR> d-------- c:\programdata\CrucialSoft Ltd
2008-12-22 16:42 . 2008-12-22 16:42 108,336 --a------ c:\windows\System32\mswinsck.ocx
2008-12-22 16:42 . 2008-12-22 16:42 16,451 --a------ c:\windows\gmail.com-error.html
2008-12-22 16:42 . 2008-12-22 16:42 6,182 --a------ c:\windows\live.com-error.html
2008-12-22 16:42 . 2008-12-22 16:42 5,596 --a------ c:\windows\aol.com-error.html
2008-12-22 16:42 . 2008-12-22 16:42 3,696 --a------ c:\windows\google.com-error.html
2008-12-22 16:42 . 2008-12-22 16:42 1,997 --a------ c:\windows\search.yahoo.com-error.html
2008-12-22 16:42 . 2008-12-22 16:42 705 --a------ C:\iuuksh.exe
2008-12-22 16:42 . 2008-12-22 16:42 705 --a------ C:\eoscmb.exe
2008-12-22 16:42 . 2008-12-22 16:42 2 --a------ C:\847830821
2008-12-22 16:41 . 2008-12-22 16:42 29,701 --a------ C:\fogdhay.exe
2008-12-11 03:02 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 20:42 . 2008-12-10 20:42 <DIR> d-------- c:\windows\Sun
2008-12-10 20:14 . 2008-12-10 20:14 <DIR> d-------- c:\users\All Users\Real
2008-12-10 20:14 . 2008-12-10 20:14 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-05 14:03 . 2008-12-05 16:52 <DIR> d-------- C:\.jagex_cache_32
2008-12-05 14:03 . 2008-12-05 17:02 31 --a------ c:\users\Andrew\jagex_runescape_preferences.dat
2008-12-02 02:58 . 2008-12-02 02:58 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-01 15:04 . 2008-12-01 15:04 <DIR> d-------- c:\users\Guest\AppData\Roaming\HP
2008-11-30 21:32 . 2008-11-30 21:32 <DIR> d-------- c:\users\All Users\WEBREG
2008-11-30 21:32 . 2008-11-30 21:32 <DIR> d-------- c:\programdata\WEBREG
2008-11-30 21:30 . 2008-11-30 21:59 <DIR> d-------- c:\users\Andrew\AppData\Roaming\HP
2008-11-30 21:28 . 2008-11-30 21:28 <DIR> d-------- c:\users\All Users\HPSSUPPLY
2008-11-30 21:28 . 2008-11-30 21:28 <DIR> d-------- c:\programdata\HPSSUPPLY
2008-11-30 21:27 . 2008-11-30 21:27 <DIR> d-------- c:\program files\Hewlett-Packard
2008-11-30 21:27 . 2008-11-30 21:30 <DIR> d-------- c:\program files\Common Files\HP
2008-11-30 21:27 . 2008-11-30 21:27 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-30 19:20 . 2008-11-30 21:30 <DIR> d-------- c:\program files\HP
2008-11-30 19:17 . 2008-11-30 21:33 130,410 --a------ c:\windows\hpoins13.dat
2008-11-25 21:54 . 2006-05-01 20:47 1,380,476 --a------ c:\users\Andrew\VisualBoyAdvance.exe
2008-11-25 14:12 . 2008-10-20 23:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 14:12 . 2008-08-27 21:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 14:12 . 2008-08-27 21:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 14:12 . 2008-08-27 21:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 14:12 . 2008-10-21 21:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 13:13 . 2008-11-25 13:13 <DIR> d-------- c:\program files\Microsoft Xbox 360 Accessories
2008-11-25 12:37 . 2008-11-25 13:07 <DIR> d-------- c:\program files\Project64 1.6
2008-11-12 18:19 . 2008-09-09 21:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-12 18:19 . 2008-09-04 23:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-12 18:19 . 2008-08-26 19:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-08 22:01 . 2008-11-08 22:16 2,959 --a------ c:\windows\checkip.dat
2008-11-07 13:43 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-07 13:43 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-07 13:43 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-07 13:43 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-07 13:43 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-07 13:43 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-07 13:43 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-07 13:43 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-07 13:43 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 22:43 --------- d-----w c:\users\Andrew\AppData\Roaming\uTorrent
2008-12-11 09:09 --------- d-----w c:\program files\Windows Mail
2008-12-11 09:04 --------- d-----w c:\programdata\Microsoft Help
2008-12-01 03:59 --------- d-----w c:\programdata\HP
2008-11-25 08:45 2,283,027 ----a-w c:\windows\System32\x264vfw.dll
2008-11-25 05:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-24 14:32 57,344 ----a-w c:\windows\System32\ff_vfw.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-31 19:17 --------- d-----w c:\program files\XBCD
2008-10-31 18:52 --------- d-----w c:\program files\Alarian
2008-10-31 18:40 --------- d-----w c:\users\Andrew\AppData\Roaming\fretsonfire
2008-10-31 08:00 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-10-31 04:10 --------- d-----w c:\program files\Joy2Key
2008-10-29 06:29 62,989 --sh--r c:\windows\System32\lssa.exe
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-28 22:35 684,032 ----a-w c:\windows\System32\divx.dll
2008-10-28 03:58 --------- d-----w c:\program files\Diablo II
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-17 23:47 669,184 ----a-w c:\windows\System32\pbsvc.exe
2008-10-17 23:47 22,328 ----a-w c:\users\Andrew\AppData\Roaming\PnkBstrK.sys
2008-10-17 23:47 103,736 ----a-w c:\windows\System32\PnkBstrB.exe
2008-10-16 05:42 66,872 ----a-w c:\windows\System32\PnkBstrA.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\System32\dpl100.dll
2008-09-19 21:57 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-04 03:05 94,208 ----a-w c:\windows\ScUnin.exe
2008-01-21 02:41 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-29 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-29 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-29 154136]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-21 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Processor"="lssa.exe" [2008-10-29 c:\windows\System32\lssa.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 14:03 36864 c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 11:44 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-07-23 10:46 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-23 10:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Processor]
-r-hs---- 2008-10-29 00:29 62989 c:\windows\System32\lssa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{288CB516-619D-432B-9938-9E1AD52486F6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{3B9B5ECF-136D-4F53-8825-7D04E6D75D55}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{04805593-9985-4328-92BF-1677BC28000E}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{58B44F9A-E39D-489D-A04A-1E2141DCD0F7}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{6A57C32D-9296-4837-8E60-F7636A8DBAC6}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{680EC565-6CCA-4911-B4AE-BC533270967E}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{4417E2AA-A00B-4F9D-A395-1BFE2B94DAB5}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{F0AD2086-A3C6-456A-AD70-B8BD9196E994}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{1FB268D0-F232-481C-BC66-0D3A1F015F28}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{F4EC2AEF-26B1-4F6B-9904-EF40207E6119}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{7B64CFC2-05C3-4D50-A10D-DD27E441237D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{91623AA9-D1A9-49BF-9717-19ED1EF36440}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{212547ED-4197-403A-8981-8CA538938ABA}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B0905860-2D6E-45A2-9A1E-7BC235D4C260}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F2E92A7F-C8D8-4A5B-92BB-F673FB2B86B2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{FDF9AA71-9F44-472B-AFF9-3E911B910433}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:StarCraft
"UDP Query User{C9F47653-19CF-46EF-B66F-CA560599DE2F}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:StarCraft
"TCP Query User{C0B299F9-67FD-4956-ABEA-8720ED1DB881}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{30FD8B38-089F-45A5-B42F-2EE305B949D3}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{791C4293-BF37-4563-A158-A00654D8E6FA}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{18598393-E7B2-453C-A018-69B62289B76D}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8EF77274-CBB5-4122-99BA-30713419F330}c:\\program files\\k-lite codec pack\\media player classic\\mplayerc.exe"= UDP:c:\program files\k-lite codec pack\media player classic\mplayerc.exe:Media Player Classic
"UDP Query User{4FB44B0D-8596-4E70-BE93-D8CCC7091779}c:\\program files\\k-lite codec pack\\media player classic\\mplayerc.exe"= TCP:c:\program files\k-lite codec pack\media player classic\mplayerc.exe:Media Player Classic
"TCP Query User{E1C68ADD-5C75-4D31-8EE2-519AA61A7616}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{7571216D-12EC-4190-B8C0-495977211D88}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"{FC170AA4-9EC7-4EDE-AF28-1DB69EFB636D}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{1163377C-A91F-4AC1-B867-A4B997E63E84}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{235B9F9E-D8D6-49C8-95CD-9ECDFF4DDB1E}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{1A49D973-B434-4D5C-A911-52D1E55DA894}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{C6FCF2BC-7554-48F0-8913-86557FFDC2D0}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{F43C3838-6D4B-409A-BAA3-81213F8B59D6}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"﫤wx@3w"= 﫤wx@3w:*:Enabled:Windows Service Processor

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-16 78416]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-23 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-08-16 51280]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-23 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-07-23 43480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0724b248-6845-11dd-9de8-0021709f0803}]
\shell\AutoRun\command - G:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf9666ab-d083-11dd-b148-0021709f0803}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d25350a6-bfe2-11dd-87db-0021709f0803}]
\shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e89cae6d-bf36-11dd-a94c-0021709f0803}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e89cafa3-bf36-11dd-a94c-0021709f0803}]
\shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed7e80da-67f1-11dd-9352-9f5695fe8617}]
\shell\AutoRun\command - F:\SETUP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
rundll32 sxmg4.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\jwvbrhbz.job
- c:\windows\system32\rundll32.exe [2006-11-02 03:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Lsass Service - c:\users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe
MSConfigStartUp-gadcom - c:\users\Andrew\AppData\Roaming\gadcom\gadcom.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\users\Andrew\AppData\Local\Temp\csrssc.exe
MSConfigStartUp-lphc9jfj0eg9q - c:\windows\system32\lphc9jfj0eg9q.exe
MSConfigStartUp-MSServer - c:\users\Andrew\AppData\Local\Temp\geBuTjGV.dll
MSConfigStartUp-s9201 - c:\programdata\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
MSConfigStartUp-Windows Update - c:\windows\system32\Updater.exe
MSConfigStartUp-xsjfn83jkemfofght - c:\users\Andrew\AppData\Local\Temp\winlogin.exe
MSConfigStartUp-MSSMSGS - winpfp32.rom


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\xlva50k4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 16:13:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\wlanext.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-31 16:16:27 - machine was rebooted [Andrew]
ComboFix-quarantined-files.txt 2008-12-31 22:16:20

Pre-Run: 157,681,709,056 bytes free
Post-Run: 158,167,113,728 bytes free

330 --- E O F --- 2008-12-22 20:22:43


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:04 PM, on 12/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Andrew\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Andrew.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunServices: [Windows Service Processor] lssa.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Lsass Service] C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\lsass.exe
O4 - HKCU\..\Run: [Adobe System Update] C:\Users\Andrew\AppData\Local\Temp\IXP002.TMP\Adobe_Update.exe
O4 - HKCU\..\Run: [Java Runtime Update] C:\Users\Andrew\AppData\Local\Temp\IXP002.TMP\Java Update.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 5900 bytes


Well so far so good. My computer hasn't restarted itself since the fix. My wireless mouse keeps failing on me but I'm going to guess that's because I need to replace the battery. Other than that everything is great.

Thanks for all your help,
Andrew

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 31 December 2008 - 06:27 PM

Hello Andrew.

Looks better. However..

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.
---------------
Once again, please disable your protection before we begin.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\System32\mswinsck.ocx
    c:\windows\gmail.com-error.html
    c:\windows\live.com-error.html
    c:\windows\aol.com-error.html
    c:\windows\google.com-error.html
    c:\windows\search.yahoo.com-error.html
    C:\iuuksh.exe
    C:\eoscmb.exe
    C:\847830821
    C:\fogdhay.exe
    c:\windows\System32\lssa.exe
    c:\windows\Tasks\jwvbrhbz.job
    
    Folder::
    c:\users\All Users\CrucialSoft Ltd
    c:\programdata\CrucialSoft Ltd
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Windows Service Processor"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Processor]
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "﫤wx@3w"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Follow the directions given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Re-enable your protection at this time.
With Regards,
The Panda

Edited by PropagandaPanda, 31 December 2008 - 06:27 PM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 06 January 2009 - 03:38 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users