Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

frmwrk32.exe virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 guskaloudis

guskaloudis

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 28 December 2008 - 01:40 PM

I seemed to have downloaded a virus/trojan last week. Each time I reboot I'm unable to open the task manager and am pagued by pop-ups and a red circle in the task bar with a white "X" in the middle. I tried AVG 7.0, Malware Bytes Anti-Malware, Super Anti-Spyware and SDFix (in safe mode). Each time I run the listed programs some type of Trojan is found, but I can't seem to completely eliminate it. When I reboot, I get a message stating the "C:\Windows\Sgeca.dll can't be found"; I'm unable to access the computer's background display properties; the red circle appears in the taskbar (which I can remove by ending the frmwrk32.exe process); and pop-ups appear intermittently.

Please see the DDS text log below...and help if you can

DDS (Version 1.1.0) - NTFSx86
Run by Gus Kaloudis at 12:15:29.82 on Sun 12/28/2008
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.100 [GMT -6:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Gus Kaloudis\Desktop\dds.scr
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uStart Page = hxxp://my.yahoo.com/p/d.html
mDefault_Page_URL = hxxp://yahoo.sbc.com/dsl
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://my.yahoo.com/p/d.html
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVGTOOLBAR: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google plugin: {f6e0ef5f-5f03-43f9-8e02-bbaaa95eaa9c} - nods32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVGTOOLBAR: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [Gwomuz] rundll32.exe "c:\windows\Sgeca.dll",e
mRun: [Kgijopakenupiyep] rundll32.exe "c:\windows\afopixohay.dll",e
mRun: [Framework Windows] frmwrk32.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\scansoft\omnipagepro14.0\pdfcnv\IEShellExt.dll /100
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: gyiarp.dll,avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\guskal~1\applic~1\mozilla\firefox\profiles\60ffb722.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsnapfish.dll
FF - HiddenExtension: XUL Cache: {B0B65663-4275-45F3-8970-F6945D9346DD} - c:\documents and settings\gus kaloudis\local settings\application data\{B0B65663-4275-45F3-8970-F6945D9346DD}

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-28 12424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-28 26184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-5-28 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-28 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-28 75272]
R2 Maxtor Sync Service;Maxtor Service;"c:\program files\maxtor\sync\SyncServices.exe" [2007-9-28 156976]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-4-8 347648]
S0 Winea20;Winea20;c:\windows\system32\drivers\Winea20.sys []
S0 Winyh52;Winyh52;c:\windows\system32\drivers\Winyh52.sys []

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2008-12-28 11:11 <DIR> --d----- c:\program files\common files\Sony Shared
2008-12-28 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kinoma
2008-12-28 10:50 <DIR> --d----- c:\program files\Sony
2008-12-28 10:19 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-28 10:03 111,616 a------- c:\windows\system32\ntdll64.exe
2008-12-28 09:58 12,424 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-28 09:58 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-28 09:58 96,520 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-28 09:58 75,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-28 09:58 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-28 09:58 <DIR> --d----- c:\docume~1\guskal~1\applic~1\AVGTOOLBAR
2008-12-28 09:58 <DIR> --d----- c:\program files\AVG
2008-12-28 09:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-26 15:24 <DIR> --d----- c:\documents and settings\gus kaloudis\.housecall6.6
2008-12-26 14:54 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-12-26 12:29 1 a------- c:\windows\system32\tb.dr
2008-12-26 12:29 1 a------- c:\windows\system32\cookie1.dat
2008-12-26 12:29 1 a------- c:\windows\system32\bb1.dat
2008-12-25 18:10 2,707 a------- c:\windows\system32\TDSSdxgp.dll
2008-12-25 18:08 112,364 a------- c:\windows\system32\drivers\44135a77.sys
2008-12-25 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2008-12-25 12:34 514 a------- c:\windows\system32\win32hlp.cnf
2008-12-25 12:34 1 a------- c:\windows\system32\uniq.tll
2008-12-25 12:34 1 a------- c:\windows\system32\test.ttt
2008-12-25 12:34 25,088 a------- c:\windows\system32\frmwrk32.exe
2008-12-24 14:31 133,120 a------- c:\windows\afopixohay.dll
2008-12-24 14:15 59,904 a------- c:\windows\system32\drivers\TDSSrfdt.sys
2008-12-24 14:13 15,000 a------- c:\windows\system32\jkse73hedfdgf.dll
2008-12-23 19:33 1 a------- c:\windows\system32\za.dat
2008-12-23 09:40 <DIR> --d----- C:\VundoFix Backups
2008-12-22 12:27 <DIR> --d----- C:\SDFix
2008-12-21 22:14 <DIR> --d----- c:\program files\EmEditor
2008-12-20 23:50 40,960 a------- c:\windows\system32\ssubtmr6.dll
2008-12-20 23:50 36,864 a------- c:\windows\system32\trayicon_handler.ocx
2008-12-20 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2008-12-07 12:37 <DIR> --d----- c:\program files\VideoEdit

==================== Find3M ====================

2008-12-12 11:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 19:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-15 19:00 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-15 19:00 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 19:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 04:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2007-12-11 10:11 2,235 a------- c:\docume~1\guskal~1\applic~1\SAS7_000.DAT
2007-12-01 12:38 87,608 a------- c:\docume~1\guskal~1\applic~1\inst.exe
2007-12-01 12:38 47,360 a------- c:\docume~1\guskal~1\applic~1\pcouffin.sys
2005-09-17 13:07 34,211,008 a------- c:\documents and settings\gus kaloudis\iTunesSetup.exe
2005-09-17 10:20 823,296 a------- c:\documents and settings\gus kaloudis\winmx353.exe
2005-09-17 09:31 3,221,104 a------- c:\documents and settings\gus kaloudis\msgrplus.exe

============= FINISH: 12:16:28.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:15 PM

Posted 05 January 2009 - 08:41 AM

Hello Guskaloudis and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 guskaloudis

guskaloudis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 05 January 2009 - 04:05 PM

Hi Thunder and thanks for your help.

Below are my GooredLog and ComboFix Log as requested...

GOORED LOG:

GooredFix v1.71 by jpshortstuff
Log created at 14:25 on 05/01/2009 running Option #2 (Gus Kaloudis)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B0B65663-4275-45F3-8970-F6945D9346DD}"="C:\Documents and Settings\Gus Kaloudis\Local Settings\Application Data\{B0B65663-4275-45F3-8970-F6945D9346DD}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Gus Kaloudis\Local Settings\Application Data\{B0B65663-4275-45F3-8970-F6945D9346DD}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"


COMBOFIX LOG:

omboFix 09-01-05.02 - Gus Kaloudis 2009-01-05 14:42:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.230 [GMT -6:00]
Running from: c:\documents and settings\Gus Kaloudis\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\Gus Kaloudis\Application Data\inst.exe
c:\documents and settings\Gus Kaloudis\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\bb1.dat
c:\windows\system32\cookie1.dat
c:\windows\system32\tb.dr
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WASFSD


((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 11:57 . 2009-01-04 11:57 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-28 11:11 . 2008-12-28 11:11 <DIR> d-------- c:\program files\Common Files\Sony Shared
2008-12-28 10:50 . 2008-12-28 10:56 <DIR> d-------- c:\program files\Sony
2008-12-28 10:50 . 2008-12-28 10:50 <DIR> d-------- c:\program files\DIFX
2008-12-28 10:50 . 2008-12-28 10:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma
2008-12-28 10:19 . 2009-01-04 18:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 09:58 . 2009-01-05 07:27 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-28 09:58 . 2008-12-28 09:58 <DIR> d-------- c:\program files\AVG
2008-12-28 09:58 . 2008-12-28 10:08 <DIR> d-------- c:\documents and settings\Gus Kaloudis\Application Data\AVGTOOLBAR
2008-12-28 09:58 . 2008-12-28 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 09:58 . 2008-12-30 08:50 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-28 09:58 . 2008-12-30 08:50 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-28 09:58 . 2008-12-30 08:50 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-28 09:58 . 2008-12-30 08:50 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-26 15:24 . 2008-12-26 21:58 <DIR> d-------- c:\documents and settings\Gus Kaloudis\.housecall6.6
2008-12-26 14:54 . 2008-12-26 14:54 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-25 18:10 . 2008-12-25 18:10 2,707 --a------ c:\windows\system32\TDSSdxgp.dll
2008-12-24 14:31 . 2008-12-24 14:31 133,120 --a------ c:\windows\afopixohay.dll
2008-12-23 19:33 . 2008-12-23 19:33 1 --a------ c:\windows\system32\za.dat
2008-12-23 09:40 . 2008-12-23 09:40 <DIR> d-------- C:\VundoFix Backups
2008-12-22 12:27 . 2008-12-26 14:54 <DIR> d-------- C:\SDFix
2008-12-21 22:14 . 2008-12-21 22:14 <DIR> d-------- c:\program files\EmEditor
2008-12-20 23:50 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2008-12-20 23:50 . 2007-08-31 18:36 36,864 --a------ c:\windows\system32\trayicon_handler.ocx
2008-12-20 23:16 . 2008-12-20 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-07 12:37 . 2008-12-07 12:37 <DIR> d-------- c:\program files\VideoEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 07:40 --------- d-----w c:\program files\eMule
2009-01-04 17:53 --------- d-----w c:\program files\Common Files\Adobe
2008-12-29 11:27 --------- d-----w c:\program files\GameSpy Arcade
2008-12-28 16:19 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-27 02:05 --------- d-----w c:\program files\LimeWire
2008-12-27 02:05 --------- d-----w c:\program files\Incomplete
2008-12-26 23:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-22 02:50 --------- d-----w c:\program files\vso
2008-12-22 02:49 --------- d-----w c:\documents and settings\Gus Kaloudis\Application Data\Vso
2008-12-20 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-28 18:15 --------- d-----w c:\documents and settings\Gus Kaloudis\Application Data\Roxio
2008-11-28 04:47 --------- d-----w c:\program files\iTunes
2008-11-28 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 04:46 --------- d-----w c:\program files\iPod
2008-11-28 04:46 --------- d-----w c:\program files\Common Files\Apple
2008-11-28 04:44 --------- d-----w c:\program files\QuickTime
2008-11-27 16:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 23:36 --------- d-----w c:\documents and settings\Gus Kaloudis\Application Data\LimeWire
2008-11-19 20:58 --------- d-----w c:\program files\Shareaza
2007-12-11 16:11 2,235 ----a-w c:\documents and settings\Gus Kaloudis\Application Data\SAS7_000.DAT
2007-12-01 18:38 47,360 ----a-w c:\documents and settings\Gus Kaloudis\Application Data\pcouffin.sys
2005-09-17 19:07 34,211,008 ----a-w c:\documents and settings\Gus Kaloudis\iTunesSetup.exe
2005-09-17 16:20 823,296 ----a-w c:\documents and settings\Gus Kaloudis\winmx353.exe
2005-09-17 15:31 3,221,104 ----a-w c:\documents and settings\Gus Kaloudis\msgrplus.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-13 290905]
"Kgijopakenupiyep"="c:\windows\afopixohay.dll" [2008-12-24 133120]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-01-04 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-28 10:18 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gyiarp.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winea20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyh52.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a------ 2006-07-14 14:36 107008 c:\program files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-08-10 15:42 183367 c:\program files\Plaxo\2.11.0.48\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
--a------ 2004-04-13 19:45 290905 c:\windows\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
--a------ 2007-03-18 09:39 7517752 c:\program files\VoipBuster.com\VoipBuster\voipbuster.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"VoipBuster"="c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe"
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DataLayer"=c:\program files\Common Files\PCSuite\DataLayer\DataLayer.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Opware14"="c:\program files\ScanSoft\OmniPagePro14.0\Opware14.exe"
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"<NO NAME>"=
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"KernelFaultCheck"=c:\windows\system32\dumprep 0 -k
"OpScheduler"="c:\program files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
"P17Helper"=Rundll32 P17.dll,P17Helper
"PDF Converter Registry Controller"="c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SSPrnAgent"=c:\program files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"UpdReg"=c:\windows\UpdReg.EXE
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Motive SmartBridge"=c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
"WorkFlowTray"="c:\program files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-28 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-28 90632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-04-08 347648]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]
S0 Winea20;Winea20;c:\windows\system32\Drivers\Winea20.sys --> c:\windows\system32\Drivers\Winea20.sys [?]
S0 Winyh52;Winyh52;c:\windows\system32\Drivers\Winyh52.sys --> c:\windows\system32\Drivers\Winyh52.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-02 c:\windows\Tasks\1-Klick-Wartung.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-04-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 13:01]

2009-01-05 c:\windows\Tasks\pjkgtpvu.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C} - nods32.dll
HKLM-Run-Gwomuz - c:\windows\Sgeca.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/p/d.html
mStart Page = hxxp://my.yahoo.com/p/d.html
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Gus Kaloudis\Application Data\Mozilla\Firefox\Profiles\60ffb722.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 14:49:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-05 14:53:55 - machine was rebooted [Gus Kaloudis]
ComboFix-quarantined-files.txt 2009-01-05 20:53:52

Pre-Run: 61,606,039,552 bytes free
Post-Run: 62,504,284,160 bytes free

302 --- E O F --- 2008-12-19 00:40:49

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:15 PM

Posted 05 January 2009 - 04:58 PM

Hello Guskaloudis,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/189992/frmwrk32exe-virus/
Collect::[9]
c:\windows\system32\TDSSdxgp.dll
c:\windows\afopixohay.dll
c:\windows\system32\za.dat
File::
c:\windows\Tasks\pjkgtpvu.job
Driver::
Winea20
Winyh52
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kgijopakenupiyep"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winea20.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyh52.sys]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=9 :
In the C:\Qoobox\ folder, you'll find the CF-Submit.htm file, double click it (opens browser window) and
click OK to open the upload page,
copy the path description (printed in fat) on this page, and paste it in the search field.
Click Send File. :thumbsup: .

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 guskaloudis

guskaloudis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 05 January 2009 - 06:32 PM

Thank you Thunder, I'm not having any more problems.

I looked in the C:\Qoobox\ folder but didn't find a file named "CF-Submit.htm".

Below are the logs you requested....and thank you again!

ComboFix 09-01-05.03 - Gus Kaloudis 2009-01-05 17:04:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.183 [GMT -6:00]
Running from: c:\documents and settings\Gus Kaloudis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gus Kaloudis\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Tasks\pjkgtpvu.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\afopixohay.dll
c:\windows\system32\TDSSdxgp.dll
c:\windows\system32\za.dat
c:\windows\Tasks\pjkgtpvu.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINYH52
-------\Service_Winea20
-------\Service_Winyh52


((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 11:57 . 2009-01-04 11:57 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-28 11:11 . 2008-12-28 11:11 <DIR> d-------- c:\program files\Common Files\Sony Shared
2008-12-28 10:50 . 2008-12-28 10:56 <DIR> d-------- c:\program files\Sony
2008-12-28 10:50 . 2008-12-28 10:50 <DIR> d-------- c:\program files\DIFX
2008-12-28 10:50 . 2008-12-28 10:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma
2008-12-28 10:19 . 2009-01-04 18:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 09:58 . 2009-01-05 07:27 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-28 09:58 . 2008-12-28 09:58 <DIR> d-------- c:\program files\AVG
2008-12-28 09:58 . 2008-12-28 10:08 <DIR> d-------- c:\documents and settings\Gus Kaloudis\Application Data\AVGTOOLBAR
2008-12-28 09:58 . 2008-12-28 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 09:58 . 2008-12-30 08:50 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-28 09:58 . 2008-12-30 08:50 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-28 09:58 . 2008-12-30 08:50 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-28 09:58 . 2008-12-30 08:50 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-26 15:24 . 2008-12-26 21:58 <DIR> d-------- c:\documents and settings\Gus Kaloudis\.housecall6.6
2008-12-26 14:54 . 2008-12-26 14:54 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-23 09:40 . 2008-12-23 09:40 <DIR> d-------- C:\VundoFix Backups
2008-12-22 12:27 . 2008-12-26 14:54 <DIR> d-------- C:\SDFix
2008-12-21 22:14 . 2008-12-21 22:14 <DIR> d-------- c:\program files\EmEditor
2008-12-20 23:50 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2008-12-20 23:50 . 2007-08-31 18:36 36,864 --a------ c:\windows\system32\trayicon_handler.ocx
2008-12-20 23:16 . 2008-12-20 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-07 12:37 . 2008-12-07 12:37 <DIR> d-------- c:\program files\VideoEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 07:40 --------- d-----w c:\program files\eMule
2009-01-04 17:53 --------- d-----w c:\program files\Common Files\Adobe
2008-12-29 11:27 --------- d-----w c:\program files\GameSpy Arcade
2008-12-28 16:19 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-27 02:05 --------- d-----w c:\program files\LimeWire
2008-12-27 02:05 --------- d-----w c:\program files\Incomplete
2008-12-26 23:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-22 02:50 --------- d-----w c:\program files\vso
2008-12-22 02:49 --------- d-----w c:\documents and settings\Gus Kaloudis\Application Data\Vso
2008-12-20 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-28 18:15 --------- d-----w c:\documents and settings\Gus Kaloudis\Application Data\Roxio
2008-11-28 04:47 --------- d-----w c:\program files\iTunes
2008-11-28 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 04:46 --------- d-----w c:\program files\iPod
2008-11-28 04:46 --------- d-----w c:\program files\Common Files\Apple
2008-11-28 04:44 --------- d-----w c:\program files\QuickTime
2008-11-27 16:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 23:36 --------- d-----w c:\documents and settings\Gus Kaloudis\Application Data\LimeWire
2008-11-19 20:58 --------- d-----w c:\program files\Shareaza
2007-12-11 16:11 2,235 ----a-w c:\documents and settings\Gus Kaloudis\Application Data\SAS7_000.DAT
2007-12-01 18:38 47,360 ----a-w c:\documents and settings\Gus Kaloudis\Application Data\pcouffin.sys
2005-09-17 19:07 34,211,008 ----a-w c:\documents and settings\Gus Kaloudis\iTunesSetup.exe
2005-09-17 16:20 823,296 ----a-w c:\documents and settings\Gus Kaloudis\winmx353.exe
2005-09-17 15:31 3,221,104 ----a-w c:\documents and settings\Gus Kaloudis\msgrplus.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-13 290905]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-01-04 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-28 10:18 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a------ 2006-07-14 14:36 107008 c:\program files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-08-10 15:42 183367 c:\program files\Plaxo\2.11.0.48\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
--a------ 2004-04-13 19:45 290905 c:\windows\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
--a------ 2007-03-18 09:39 7517752 c:\program files\VoipBuster.com\VoipBuster\voipbuster.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"VoipBuster"="c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe"
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DataLayer"=c:\program files\Common Files\PCSuite\DataLayer\DataLayer.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Opware14"="c:\program files\ScanSoft\OmniPagePro14.0\Opware14.exe"
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"<NO NAME>"=
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"KernelFaultCheck"=c:\windows\system32\dumprep 0 -k
"OpScheduler"="c:\program files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
"P17Helper"=Rundll32 P17.dll,P17Helper
"PDF Converter Registry Controller"="c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SSPrnAgent"=c:\program files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"UpdReg"=c:\windows\UpdReg.EXE
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Motive SmartBridge"=c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
"WorkFlowTray"="c:\program files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-28 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-28 90632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-04-08 347648]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-02 c:\windows\Tasks\1-Klick-Wartung.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-04-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/p/d.html
mStart Page = hxxp://my.yahoo.com/p/d.html
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Gus Kaloudis\Application Data\Mozilla\Firefox\Profiles\60ffb722.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 17:12:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-05 17:17:05 - machine was rebooted [Gus Kaloudis]
ComboFix-quarantined-files.txt 2009-01-05 23:17:02
ComboFix2.txt 2009-01-05 20:53:56

Pre-Run: 63,164,825,600 bytes free
Post-Run: 63,104,020,480 bytes free

288 --- E O F --- 2008-12-19 00:40:49


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:38 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126963362375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157033858078
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 11533 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:15 PM

Posted 06 January 2009 - 04:23 AM

Hello Guskaloudis,

Your logs look better now. :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if still present :O24 - Desktop Component 0: Privacy Protection - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the Download button to the right of Java SE Runtime Environment (JRE) 6 Update 11 (first option).
  • Select your Platform (Windows version) and check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click "Continue" and the page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 guskaloudis

guskaloudis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 06 January 2009 - 09:53 AM

Your directions have been outstanding!
No problems seem to exist...


Thanks again and have a great year!

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:15 PM

Posted 06 January 2009 - 10:07 AM

Glad we could help, Guskaloudis :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users