Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Check Logs to Find out if I am clean


  • This topic is locked This topic is locked
9 replies to this topic

#1 lauraj

lauraj

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 02 January 2009 - 10:58 PM

I went to a website accidentally that infected me with lots of malware. From what I can tell, I had Vundo, Spyware Guard 2008 and some other things. I have run malwarebytes, SUPERAntiSpyware, and SpyBot Search and Destroy. The computer is running better now and I would like to make sure I have gotten everything off that I need to. I would really appreciate it if somebody could take a look at my logs and let me know if I am clean. Thanks so much.

Laura

DDS (Version 1.1.0) - NTFSx86
Run by Jones Boys at 21:47:36.51 on Fri 01/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.573 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Documents and Settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\Documents and Settings\Jones Boys\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jones Boys\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jones Boys\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://jonesboys/
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [SansaDispatch] c:\documents and settings\jones boys\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [Google Update] "c:\documents and settings\jones boys\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\jonesb~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: hgGArOHW - hgGArOHW.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: uohtzv.dll onjbwf.dll fgevrr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnnommK

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonesb~1\applic~1\mozilla\firefox\profiles\5ylicmf4.default\
FF - prefs.js: browser.startup.homepage - hxxp://jonesboys/
FF - plugin: c:\documents and settings\jones boys\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2007-11-14 6097]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\jonesb~1\locals~1\temp\DMSKSSRh.sys []
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2007-11-14 299923]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\microsoft sql server\100\shared\SQLADHLP.EXE" [2008-8-15 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 [2005-9-23 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-8-15 369688]

=============== Created Last 30 ================

2009-01-02 10:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-02 10:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-02 08:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-31 08:29 <DIR> --d----- c:\docume~1\jonesb~1\applic~1\Malwarebytes
2008-12-30 23:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-30 23:35 <DIR> --d----- c:\docume~1\jonesb~1\applic~1\SUPERAntiSpyware.com
2008-12-30 23:02 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-30 22:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 22:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 20:58 812,344 a------- C:\bob.exe
2008-12-30 16:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-23 21:06 719,872 a------- c:\windows\system32\devil.dll
2008-12-23 21:06 318,976 a------- c:\windows\system32\avisynth.dll
2008-12-23 21:05 <DIR> --d----- c:\program files\eRightSoft
2008-12-22 13:03 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-22 13:03 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 13:02 <DIR> --d----- c:\program files\iPod
2008-12-22 13:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 13:02 <DIR> --d----- c:\program files\iTunes
2008-12-22 13:02 <DIR> --d----- c:\program files\Bonjour
2008-12-22 09:48 <DIR> --d----- c:\program files\MP3Gain
2008-12-21 21:49 <DIR> --d----- c:\program files\Amazon
2008-12-20 17:36 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 13:43 <DIR> --d----- c:\documents and settings\jones boys\.gimp-2.6
2008-12-20 13:43 <DIR> --d----- c:\documents and settings\jones boys\.gegl-0.0
2008-12-20 13:43 <DIR> --d----- c:\program files\GIMP-2.0
2008-12-15 11:27 1,172 a------- c:\windows\mozver.dat
2008-12-13 21:07 <DIR> --d----- c:\docume~1\jonesb~1\applic~1\SanDisk
2008-12-13 20:38 <DIR> --d----- c:\program files\VideoLAN
2008-12-13 16:39 1,645,320 a------- c:\windows\system32\gdiplus.dll
2008-12-13 16:39 <DIR> --d----- c:\program files\SanDisk
2008-12-09 15:29 <DIR> --d----- c:\program files\common files\Merge Modules
2008-12-09 14:00 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-09 13:57 <DIR> --d----- c:\windows\system32\RsFx
2008-12-09 13:08 <DIR> --d----- c:\program files\Support Tools
2008-12-05 13:20 <DIR> --d----- c:\program files\AviSynth 2.5
2008-12-05 13:17 <DIR> --d----- c:\program files\Haali
2008-12-05 11:43 413,696 a------- c:\windows\FLVSplitter.ax
2008-12-05 11:43 <DIR> --d----- C:\Temp
2008-12-04 13:21 <DIR> --d----- c:\docume~1\jonesb~1\applic~1\NeroDigital™
2008-12-04 13:15 69 a------- c:\windows\NeroDigital.ini
2008-12-04 12:50 39 a------- c:\windows\Irremote.ini
2008-12-04 12:30 <DIR> --d----- c:\program files\Nero
2008-12-04 12:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero

==================== Find3M ====================

2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-29 15:00 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-11 09:23 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-06-06 20:35 251 a------- c:\program files\wt3d.ini
2006-05-03 03:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 04:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 06:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 21:48:28.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:29 PM

Posted 09 January 2009 - 08:11 AM

Hi,

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lauraj

lauraj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 09 January 2009 - 02:41 PM

Thanks so much for responding. We have run ComboFix. Here is the log.

ComboFix 09-01-08.05 - Jones Boys 2009-01-09 13:28:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.720 [GMT -6:00]
Running from: c:\documents and settings\Jones Boys\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jones Boys\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\divx.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-09 12:01 . 2009-01-09 12:01 <DIR> d-------- c:\program files\Western Digital Technologies
2009-01-09 12:00 . 2009-01-09 12:02 <DIR> d-------- c:\program files\Western Digital
2009-01-09 12:00 . 2007-10-01 15:17 11,520 --a------ c:\windows\system32\drivers\wdcsam.sys
2009-01-09 11:59 . 2008-04-13 13:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-01-09 11:59 . 2008-04-13 13:40 43,904 --a------ c:\windows\system32\dllcache\sbp2port.sys
2009-01-09 11:46 . 2009-01-09 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 11:32 . 2009-01-09 11:32 <DIR> d-------- C:\xpsp2
2009-01-09 11:31 . 2009-01-09 11:31 <DIR> d-------- C:\XPCD
2009-01-09 10:46 . 2009-01-09 10:46 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\AVGTOOLBAR
2009-01-02 10:10 . 2009-01-09 11:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 10:10 . 2009-01-09 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 08:25 . 2009-01-02 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-31 08:29 . 2008-12-31 08:29 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\Malwarebytes
2008-12-30 23:35 . 2009-01-09 11:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-30 23:35 . 2009-01-09 11:51 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\SUPERAntiSpyware.com
2008-12-30 20:58 . 2008-12-30 20:58 812,344 --a------ C:\bob.exe
2008-12-30 16:20 . 2008-12-30 16:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 09:51 . 2008-12-30 09:51 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\Amazon
2008-12-27 15:35 . 2008-12-27 16:01 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\U3
2008-12-23 21:06 . 2004-02-22 10:11 719,872 --a------ c:\windows\system32\devil.dll
2008-12-23 21:06 . 2007-05-17 17:30 318,976 --a------ c:\windows\system32\avisynth.dll
2008-12-23 21:05 . 2008-12-23 21:05 <DIR> d-------- c:\program files\eRightSoft
2008-12-22 13:03 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-22 13:03 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 13:02 . 2008-12-22 13:03 <DIR> d-------- c:\program files\iTunes
2008-12-22 13:02 . 2008-12-22 13:02 <DIR> d-------- c:\program files\iPod
2008-12-22 13:02 . 2008-12-22 13:02 <DIR> d-------- c:\program files\Bonjour
2008-12-22 13:02 . 2008-12-22 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 13:01 . 2008-12-22 13:01 <DIR> d-------- c:\program files\QuickTime
2008-12-22 12:59 . 2009-01-09 12:00 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-22 12:58 . 2008-12-22 13:02 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-22 09:48 . 2008-12-22 09:51 <DIR> d-------- c:\program files\MP3Gain
2008-12-21 21:49 . 2008-12-30 09:49 <DIR> d-------- c:\program files\Amazon
2008-12-20 17:36 . 2008-12-20 17:35 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-20 13:47 . 2008-12-20 13:47 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\gtk-2.0
2008-12-20 13:43 . 2008-12-20 13:43 <DIR> d-------- c:\program files\GIMP-2.0
2008-12-20 13:43 . 2008-12-20 14:43 <DIR> d-------- c:\documents and settings\Jones Boys\.gimp-2.6
2008-12-20 13:43 . 2008-12-20 13:43 <DIR> d-------- c:\documents and settings\Jones Boys\.gegl-0.0
2008-12-15 11:27 . 2008-12-15 11:27 1,172 --a------ c:\windows\mozver.dat
2008-12-13 21:07 . 2008-12-13 21:07 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\SanDisk
2008-12-13 20:39 . 2008-12-13 20:41 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\vlc
2008-12-13 20:38 . 2008-12-13 20:38 <DIR> d-------- c:\program files\VideoLAN
2008-12-13 16:41 . 2008-12-13 16:41 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\ArcSoft
2008-12-13 16:39 . 2008-12-13 16:39 <DIR> d-------- c:\program files\SanDisk
2008-12-13 16:39 . 2008-12-13 16:39 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-12-13 16:39 . 2004-05-04 11:53 1,645,320 --a------ c:\windows\system32\gdiplus.dll
2008-12-09 15:29 . 2008-12-09 15:29 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-12-09 14:00 . 2008-08-15 14:47 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-09 13:57 . 2008-12-09 13:57 <DIR> d-------- c:\windows\system32\RsFx
2008-12-09 13:08 . 2008-12-09 13:08 <DIR> d-------- c:\program files\Support Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 04:39 --------- d-----w c:\program files\Trend Micro
2008-12-23 04:42 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Skype
2008-12-23 02:36 --------- d-----w c:\program files\MUSICMATCH
2008-12-22 19:03 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Apple Computer
2008-12-22 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-22 18:59 --------- d-----w c:\program files\Apple Software Update
2008-12-20 23:35 --------- d-----w c:\program files\Java
2008-12-16 18:50 --------- d-----w c:\documents and settings\Jones Boys\Application Data\CoreFTP
2008-12-13 22:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 18:50 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-12-10 18:48 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-09 21:29 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-09 17:58 --------- d-----w c:\program files\ACW
2008-12-08 23:01 --------- d-----w c:\program files\AviSynth 2.5
2008-12-08 01:04 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-05 19:17 --------- d-----w c:\program files\Haali
2008-12-05 18:57 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Media Player Classic
2008-12-05 17:46 --------- d-----w c:\program files\Common Files\Nero
2008-12-05 17:45 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-05 17:38 --------- d-----w c:\program files\7-Zip
2008-12-05 17:26 --------- d-----w c:\program files\Nero
2008-12-04 19:21 --------- d-----w c:\documents and settings\Jones Boys\Application Data\NeroDigital™
2008-12-04 19:13 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Nero
2008-12-04 02:50 --------- d-----w c:\program files\iSofter
2008-12-04 02:50 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-04 02:37 --------- d-----w c:\documents and settings\Jones Boys\Application Data\dvdcss
2008-12-04 00:36 --------- d-----w c:\documents and settings\Jones Boys\Application Data\MPEG Streamclip
2008-12-02 03:01 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Conversations Network
2008-12-02 03:00 --------- d-----w c:\program files\Levelator
2008-11-30 03:31 --------- d-----w c:\program files\Audacity
2008-11-29 23:10 --------- d-----w c:\program files\Google Video
2008-11-29 21:02 --------- d-----w c:\documents and settings\Jones Boys\Application Data\CyberLink
2008-11-29 20:59 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Corel
2008-06-07 02:35 251 ----a-w c:\program files\wt3d.ini
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SansaDispatch"="c:\documents and settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-12-14 79872]
"Google Update"="c:\documents and settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-17 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]

c:\documents and settings\Jones Boys\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-04-27 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-17 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uohtzv.dll,onjbwf.dll,fgevrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2007-11-14 6097]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\JONESB~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\JONESB~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2007-11-14 299923]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-01-09 11520]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-08-15 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-15 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6141bf9a-de77-11dd-8a84-00166f1ef91e}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDEULA.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-478309604-1421531346-3062559071-1005.job
- c:\documents and settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 14:13]

2009-01-09 c:\windows\Tasks\tgtmchli.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2009-01-09 c:\windows\Tasks\User_Feed_Synchronization-{84911465-5DAE-452A-B2F6-DDCFC48F8FF9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\ADOBE\ACROBAT 7.0\READER\AdobeUpdateManager.exe
Notify-hgGArOHW - hgGArOHW.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://jonesboys/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Jones Boys\Application Data\Mozilla\Firefox\Profiles\5ylicmf4.default\
FF - prefs.js: browser.startup.homepage - hxxp://jonesboys/
FF - plugin: c:\documents and settings\Jones Boys\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30109.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 13:33:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-01-09 13:38:32 - machine was rebooted [Jones Boys]
ComboFix-quarantined-files.txt 2009-01-09 19:38:06

Pre-Run: 31,673,991,168 bytes free
Post-Run: 31,641,161,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

281 --- E O F --- 2008-12-18 14:19:48

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:29 PM

Posted 10 January 2009 - 05:05 AM

Hi,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Driver::
DMSKSSRh
File::
c:\docume~1\JONESB~1\LOCALS~1\Temp\DMSKSSRh.sys
c:\windows\Tasks\tgtmchli.job
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 lauraj

lauraj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 10 January 2009 - 09:27 AM

Again, thank you for responding. I really appreciate you helping me.

I saved the text to the .txt file and dragged it into the combofix icon. ComboFix said it had an update so I let it update and then it continued. Here is the combofix log file:

ComboFix 09-01-09.03 - Jones Boys 2009-01-10 7:58:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.675 [GMT -6:00]
Running from: c:\documents and settings\Jones Boys\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jones Boys\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\JONESB~1\LOCALS~1\Temp\DMSKSSRh.sys
c:\windows\Tasks\tgtmchli.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\tgtmchli.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMSKSSRH
-------\Service_DMSKSSRh


((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-09 12:01 . 2009-01-09 12:01 <DIR> d-------- c:\program files\Western Digital Technologies
2009-01-09 12:00 . 2009-01-09 12:02 <DIR> d-------- c:\program files\Western Digital
2009-01-09 12:00 . 2007-10-01 15:17 11,520 --a------ c:\windows\system32\drivers\wdcsam.sys
2009-01-09 11:59 . 2008-04-13 13:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-01-09 11:59 . 2008-04-13 13:40 43,904 --a------ c:\windows\system32\dllcache\sbp2port.sys
2009-01-09 11:46 . 2009-01-09 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 11:32 . 2009-01-09 11:32 <DIR> d-------- C:\xpsp2
2009-01-09 11:31 . 2009-01-09 11:31 <DIR> d-------- C:\XPCD
2009-01-09 10:46 . 2009-01-09 10:46 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\AVGTOOLBAR
2009-01-02 10:10 . 2009-01-09 11:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 10:10 . 2009-01-09 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 08:25 . 2009-01-02 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-31 08:29 . 2008-12-31 08:29 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\Malwarebytes
2008-12-30 23:35 . 2009-01-09 11:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-30 23:35 . 2009-01-09 11:51 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\SUPERAntiSpyware.com
2008-12-30 20:58 . 2008-12-30 20:58 812,344 --a------ C:\bob.exe
2008-12-30 16:20 . 2008-12-30 16:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 09:51 . 2008-12-30 09:51 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\Amazon
2008-12-27 15:35 . 2008-12-27 16:01 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\U3
2008-12-23 21:06 . 2004-02-22 10:11 719,872 --a------ c:\windows\system32\devil.dll
2008-12-23 21:06 . 2007-05-17 17:30 318,976 --a------ c:\windows\system32\avisynth.dll
2008-12-23 21:05 . 2008-12-23 21:05 <DIR> d-------- c:\program files\eRightSoft
2008-12-22 13:03 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-22 13:03 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 13:02 . 2008-12-22 13:03 <DIR> d-------- c:\program files\iTunes
2008-12-22 13:02 . 2008-12-22 13:02 <DIR> d-------- c:\program files\iPod
2008-12-22 13:02 . 2008-12-22 13:02 <DIR> d-------- c:\program files\Bonjour
2008-12-22 13:02 . 2008-12-22 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 13:01 . 2008-12-22 13:01 <DIR> d-------- c:\program files\QuickTime
2008-12-22 12:59 . 2009-01-09 12:00 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-22 12:58 . 2008-12-22 13:02 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-22 09:48 . 2008-12-22 09:51 <DIR> d-------- c:\program files\MP3Gain
2008-12-21 21:49 . 2008-12-30 09:49 <DIR> d-------- c:\program files\Amazon
2008-12-20 17:36 . 2008-12-20 17:35 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-20 13:47 . 2008-12-20 13:47 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\gtk-2.0
2008-12-20 13:43 . 2008-12-20 13:43 <DIR> d-------- c:\program files\GIMP-2.0
2008-12-20 13:43 . 2008-12-20 14:43 <DIR> d-------- c:\documents and settings\Jones Boys\.gimp-2.6
2008-12-20 13:43 . 2008-12-20 13:43 <DIR> d-------- c:\documents and settings\Jones Boys\.gegl-0.0
2008-12-15 11:27 . 2008-12-15 11:27 1,172 --a------ c:\windows\mozver.dat
2008-12-13 21:07 . 2008-12-13 21:07 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\SanDisk
2008-12-13 20:39 . 2008-12-13 20:41 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\vlc
2008-12-13 20:38 . 2008-12-13 20:38 <DIR> d-------- c:\program files\VideoLAN
2008-12-13 16:41 . 2008-12-13 16:41 <DIR> d-------- c:\documents and settings\Jones Boys\Application Data\ArcSoft
2008-12-13 16:39 . 2008-12-13 16:39 <DIR> d-------- c:\program files\SanDisk
2008-12-13 16:39 . 2008-12-13 16:39 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-12-13 16:39 . 2004-05-04 11:53 1,645,320 --a------ c:\windows\system32\gdiplus.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 04:39 --------- d-----w c:\program files\Trend Micro
2008-12-23 04:42 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Skype
2008-12-23 02:36 --------- d-----w c:\program files\MUSICMATCH
2008-12-22 19:03 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Apple Computer
2008-12-22 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-22 18:59 --------- d-----w c:\program files\Apple Software Update
2008-12-20 23:35 --------- d-----w c:\program files\Java
2008-12-16 18:50 --------- d-----w c:\documents and settings\Jones Boys\Application Data\CoreFTP
2008-12-13 22:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 18:50 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-12-10 18:48 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-09 21:29 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-09 21:29 --------- d-----w c:\program files\Common Files\Merge Modules
2008-12-09 19:08 --------- d-----w c:\program files\Support Tools
2008-12-09 17:58 --------- d-----w c:\program files\ACW
2008-12-08 23:01 --------- d-----w c:\program files\AviSynth 2.5
2008-12-08 01:04 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-05 19:17 --------- d-----w c:\program files\Haali
2008-12-05 18:57 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Media Player Classic
2008-12-05 17:46 --------- d-----w c:\program files\Common Files\Nero
2008-12-05 17:45 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-05 17:38 --------- d-----w c:\program files\7-Zip
2008-12-05 17:26 --------- d-----w c:\program files\Nero
2008-12-04 19:21 --------- d-----w c:\documents and settings\Jones Boys\Application Data\NeroDigital™
2008-12-04 19:13 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Nero
2008-12-04 02:50 --------- d-----w c:\program files\iSofter
2008-12-04 02:50 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-04 02:37 --------- d-----w c:\documents and settings\Jones Boys\Application Data\dvdcss
2008-12-04 00:36 --------- d-----w c:\documents and settings\Jones Boys\Application Data\MPEG Streamclip
2008-12-02 03:01 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Conversations Network
2008-12-02 03:00 --------- d-----w c:\program files\Levelator
2008-11-30 03:31 --------- d-----w c:\program files\Audacity
2008-11-29 23:10 --------- d-----w c:\program files\Google Video
2008-11-29 21:02 --------- d-----w c:\documents and settings\Jones Boys\Application Data\CyberLink
2008-11-29 20:59 --------- d-----w c:\documents and settings\Jones Boys\Application Data\Corel
2008-06-07 02:35 251 ----a-w c:\program files\wt3d.ini
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_13.36.56.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 00:06:28 10,752 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\26676eb7\92c7e946\App_Web_f4w0vvwp.dll
+ 2009-01-10 00:06:34 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\26676eb7\92c7e946\App_Web_m3lmfh04.dll
- 2009-01-09 19:32:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-10 14:05:10 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-09 19:32:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-10 14:05:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-09 19:32:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-10 14:05:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-09 19:33:04 225,935 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-10 14:05:38 225,939 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SansaDispatch"="c:\documents and settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-12-14 79872]
"Google Update"="c:\documents and settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-17 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]

c:\documents and settings\Jones Boys\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-04-27 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-17 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2007-11-14 6097]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2007-11-14 299923]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-01-09 11520]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-08-15 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-15 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6141bf9a-de77-11dd-8a84-00166f1ef91e}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDEULA.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-478309604-1421531346-3062559071-1005.job
- c:\documents and settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 14:13]

2009-01-10 c:\windows\Tasks\User_Feed_Synchronization-{84911465-5DAE-452A-B2F6-DDCFC48F8FF9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://jonesboys/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Jones Boys\Application Data\Mozilla\Firefox\Profiles\5ylicmf4.default\
FF - prefs.js: browser.startup.homepage - hxxp://jonesboys/
FF - plugin: c:\documents and settings\Jones Boys\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30109.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 08:05:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-01-10 8:11:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 14:10:50
ComboFix2.txt 2009-01-09 19:38:34

Pre-Run: 31,679,102,976 bytes free
Post-Run: 31,667,597,312 bytes free

276 --- E O F --- 2008-12-18 14:19:48






Here is the HijackThis Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:19 AM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Documents and Settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jonesboys/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jones Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8265 bytes

Thanks,
Laura

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:29 PM

Posted 12 January 2009 - 05:53 AM

Hi,

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 11 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Posted Image


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Glad i was able to help and please let me know if you still need assistence.Posted Image
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 lauraj

lauraj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 12 January 2009 - 11:10 AM

Thank you so much for helping me out. I have uninstalled the current Java and installed the newest version, I have also installed and set up my avg anitvirus which has a firewall and real time protection. I have also installed and set up spybot search and destroy. I have run the Secunia Software Inspector. It worked the first time, and I started to update my programs. When I tried to update adobe it gave me this error which concerns me:

Error 1402.Could not open key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS. Verify that you have sufficient access to that key, or contact your support personnel.

Could this be something that was removed that should not have been, or do you think one of the anti malware programs is blocking it.

Also, when I went and tried to run the Secunia again, It says that the java applet would not work in my browser and the scan won't work again, and I should check to make sure the current version of Java is installed, which it is.

One more thing, My firewall keeps asking to allow programs to access the internet, and I have been allowing them, but then they still do not connect.

I know that most of this is probably that I need to figure out how to work this firewall, but I thought I would ask just to make sure.

Thanks so much for helping me.

Laura

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:29 PM

Posted 12 January 2009 - 11:42 AM

Hello,

When I tried to update adobe it gave me this error

The best way to have help on this issue its on the forum area:
All other Applications


One more thing, My firewall keeps asking to allow programs to access the internet, and I have been allowing them, but then they still do not connect.

I know that most of this is probably that I need to figure out how to work this firewall, but I thought I would ask just to make sure.

Yes, you have to configure your firewall. Please read this tutorial for Understanding the Firewalls


Regards,
Lusitano
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 lauraj

lauraj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 12 January 2009 - 12:52 PM

Thanks for all your help. I have posted a topic in the All Other Applications section to try to figure out that error. I also read the tutorial for firewalls before. I just have to figure out this AVG one. I have never used it before and I configured it using the wizard. I may just need to set some rules manually. Thank you for responding so quickly.

Laura

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:29 PM

Posted 12 January 2009 - 01:30 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users