Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by spyware guard 2008


  • This topic is locked This topic is locked
19 replies to this topic

#1 cowboyken072474

cowboyken072474

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 11 January 2009 - 10:40 AM

my computer recently got infected with "Spyware Guard 2008". I saw on one of the posts on this website that there was a tool to remove this (MBAM) I tried running it as directed but it did not automatically start like it said it would. I also tried to start it from the desktop icon but it still did not start.


DDS.txt log


DDS (Ver_09-01-07.01) - NTFSx86
Run by KEN at 10:15:52.04 on 2009-01-11
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.191 [GMT -5:00]

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KEN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.connecticut.cox.net/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [spywareguard] c:\program files\spyware guard 2008\spywareguard.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
SSODL: ieModule - {EE9F0351-CC83-4FCF-BF23-01C675CB85B2} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {919F6CA4-3EE5-4014-81F3-0B682716A9F0} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\wdnbpwwwcc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\sl8axjxd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.connecticut.cox.net/

============= SERVICES / DRIVERS ===============

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20041208.007\NAVENG.SYS [2006-2-10 72712]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20041208.007\NAVEX15.SYS [2006-2-10 629544]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2004-12-10 336008]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R4 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\navapsvc.exe [2005-1-10 177264]
R4 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2004-12-10 50312]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2004-12-10 198368]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2005-1-10 67184]

=============== Created Last 30 ================

2009-01-10 12:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-10 12:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 12:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 12:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-10 12:03 <DIR> --d----- c:\program files\DNA
2009-01-10 12:03 <DIR> --d----- c:\docume~1\ken\applic~1\DNA
2009-01-09 21:23 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-08 17:08 384,000 a------- c:\windows\system32\winscenter.exe
2009-01-08 17:05 <DIR> --d----- c:\program files\Spyware Guard 2008
2009-01-07 21:22 1 a------- c:\windows\system32\tb.dr
2009-01-07 21:22 1 a------- c:\windows\system32\rc.dat
2009-01-07 21:22 1 a------- c:\windows\system32\ps1.dat
2009-01-07 21:22 1 a------- c:\windows\system32\cs.dat
2009-01-07 21:22 1 a------- c:\windows\system32\bb1.dat
2009-01-07 05:35 43,008 a------- c:\windows\system32\aj32.dll
2009-01-07 05:35 1,264 a------- c:\windows\system32\lp
2009-01-04 16:05 134,149 a------- c:\windows\reged.exe
2009-01-04 16:05 18,941 a------- c:\windows\vmreg.dll
2009-01-04 16:05 1,003,957 a------- c:\windows\sysexplorer.exe
2009-01-04 16:05 51,197 a------- c:\windows\spoolsystem.exe
2009-01-04 16:05 50,620 a------- c:\windows\sys.com
2009-01-04 16:05 47,872 a------- c:\windows\syscert.exe
2009-01-04 16:04 29,189 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2009-01-04 15:27 <DIR> --d----- c:\program files\Microsoft Common
2009-01-01 21:30 87,608 a------- c:\docume~1\ken\applic~1\inst.exe
2009-01-01 21:30 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-01 21:30 47,360 a------- c:\docume~1\ken\applic~1\pcouffin.sys
2009-01-01 21:30 <DIR> --d----- c:\program files\DVDFab 5
2008-12-24 00:07 <DIR> --d----- c:\program files\PhotoViewer

==================== Find3M ====================


============= FINISH: 10:16:25.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 12 January 2009 - 02:24 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 13 January 2009 - 01:14 PM

here are my log reports

combofix :


ComboFix 09-01-12.04 - KEN 2009-01-13 12:44:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.277 [GMT -5:00]
Running from: c:\documents and settings\KEN\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\KEN\Application Data\inst.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\alog.txt
c:\windows\system32\bb1.dat
c:\windows\system32\cs.dat
c:\windows\system32\Drivers\TDSSmaxt.sys
c:\windows\system32\drivers\TDSSmqxt.sys
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\tb.dr
c:\windows\system32\TDSSbivk.log
c:\windows\system32\TDSSbubx.log
c:\windows\system32\TDSScfgb.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSkpjp.log
c:\windows\system32\TDSSnmxa.dll
c:\windows\system32\TDSSnrsr.dat
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoemr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvn.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSSthym.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TDSStpmp.dll
c:\windows\system32\TDSSvvbi.dll
c:\windows\system32\winscenter.exe
c:\windows\vmreg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-10 12:14 . 2009-01-10 12:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 12:14 . 2009-01-10 12:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 12:14 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 12:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 12:03 . 2009-01-13 12:34 <DIR> d-------- c:\program files\DNA
2009-01-10 12:03 . 2009-01-13 12:43 <DIR> d-------- c:\documents and settings\KEN\Application Data\DNA
2009-01-09 21:23 . 2009-01-09 21:44 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-07 05:35 . 2009-01-07 05:35 43,008 --a------ c:\windows\system32\aj32.dll
2009-01-07 05:35 . 2009-01-07 05:35 1,264 --a------ c:\windows\system32\lp
2009-01-04 20:33 . 2006-01-16 20:43 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-04 20:33 . 2006-01-16 21:21 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-04 20:33 . 2006-02-10 14:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-01-04 20:33 . 2006-02-10 15:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-04 20:33 . 2006-01-16 22:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-01-04 20:33 . 2006-01-16 22:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-01-04 20:33 . 2009-01-04 20:33 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 21:30 . 2009-01-01 21:30 <DIR> d-------- c:\program files\DVDFab 5
2009-01-01 21:30 . 2009-01-01 21:30 <DIR> d-------- c:\documents and settings\KEN\Application Data\Vso
2009-01-01 21:30 . 2009-01-01 21:30 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-01 21:30 . 2009-01-01 21:30 47,360 --a------ c:\documents and settings\KEN\Application Data\pcouffin.sys
2008-12-24 00:07 . 2008-12-24 00:07 <DIR> d-------- c:\program files\PhotoViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 17:43 --------- d-----w c:\documents and settings\KEN\Application Data\BitTorrent
2009-01-13 17:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-10 17:03 --------- d-----w c:\program files\BitTorrent
2009-01-02 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-14 07:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 00:48 --------- d-----w c:\documents and settings\KEN\Application Data\Move Networks
2008-11-29 01:22 --------- d-----w c:\program files\DVD Decrypter
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-09-26 18:44 634672 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-03-21 20:30 1191936 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-09-22 22:10 1871872 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 17:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-03-21 13:19 69632 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
-ra------ 2005-04-26 05:22 589824 c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-30 00:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-07 21:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2005-03-11 11:33 147456 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3948d4e9-86b7-11da-958c-001485e0958e}]
\Shell\AutoRun\command - I:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b58fa0-dab0-11dd-9491-001485e84dd7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - K:\system.exe
\Shell\Open\command - K:\system.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-NAV CfgWiz - c:\program files\Norton AntiVirus\CfgWiz.exe
MSConfigStartUp-New Value #1 - c:\sysprep\test\ftest\ftest.exe
MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.connecticut.cox.net/
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\KEN\Application Data\Mozilla\Firefox\Profiles\sl8axjxd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.connecticut.cox.net/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 12:47:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-13 12:49:03
ComboFix-quarantined-files.txt 2009-01-13 17:48:40

Pre-Run: 6,488,498,176 bytes free
Post-Run: 7,440,236,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

202 --- E O F --- 2007-11-15 08:03:22



HIJACKTHIS REPORT:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:47 PM, on 1/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\KEN\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.connecticut.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 3207 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 13 January 2009 - 02:00 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\aj32.dll
c:\windows\system32\lp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3948d4e9-86b7-11da-958c-001485e0958e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b58fa0-dab0-11dd-9491-001485e84dd7}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 16 January 2009 - 05:09 PM

I have done what you stated. Thank you for your help.

Here are the next reports you asked for.


COmbofix:

ComboFix 09-01-15.01 - KEN 2009-01-16 15:06:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.220 [GMT -5:00]
Running from: c:\documents and settings\KEN\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\KEN\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\aj32.dll
c:\windows\system32\lp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\zrxadttsny.dll
c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\KEN\Start Menu\Programs\Spyware Guard 2008
c:\documents and settings\KEN\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
c:\documents and settings\KEN\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk
c:\documents and settings\KEN\Start Menu\Programs\Spyware Guard 2009
c:\documents and settings\KEN\Start Menu\Programs\Spyware Guard 2009\Spyware Guard 2009.lnk
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\Spyware Guard 2009
c:\program files\Spyware Guard 2009\conf.cfg
c:\program files\Spyware Guard 2009\mbase.vdb
c:\program files\Spyware Guard 2009\quarantine.vdb
c:\program files\Spyware Guard 2009\queue.vdb
c:\program files\Spyware Guard 2009\spywareguard.exe
c:\program files\Spyware Guard 2009\uninstall.exe
c:\program files\Spyware Guard 2009\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\aj32.dll
c:\windows\system32\drivers\TDSScqcs.sys
c:\windows\system32\lp
c:\windows\system32\sft.res
c:\windows\system32\TDSSfvhc.dll
c:\windows\system32\TDSSibwu.dll
c:\windows\system32\TDSSjiyg.dll
c:\windows\system32\TDSSlolc.dat
c:\windows\system32\TDSSmyjc.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnraw.dll
c:\windows\system32\TDSSntyq.log
c:\windows\system32\TDSSvcvd.dll
c:\windows\system32\TDSSyham.log
c:\windows\system32\twex.exe
c:\windows\system32\winscenter.exe
c:\windows\vmreg.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 18:48 . 2009-01-13 18:48 33,280 --a------ c:\windows\system32\msfacat32.dll
2009-01-13 18:31 . 2009-01-16 14:47 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-10 12:14 . 2009-01-10 12:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 12:14 . 2009-01-10 12:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 12:14 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 12:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 12:03 . 2009-01-16 15:10 <DIR> d-------- c:\program files\DNA
2009-01-10 12:03 . 2009-01-16 15:10 <DIR> d-------- c:\documents and settings\KEN\Application Data\DNA
2009-01-09 21:23 . 2009-01-09 21:44 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-04 20:33 . 2006-01-16 20:43 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-04 20:33 . 2006-01-16 21:21 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-04 20:33 . 2006-02-10 14:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-01-04 20:33 . 2006-02-10 15:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-04 20:33 . 2006-01-16 22:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-01-04 20:33 . 2006-01-16 22:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-01-04 20:33 . 2009-01-04 20:33 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 21:30 . 2009-01-01 21:30 <DIR> d-------- c:\program files\DVDFab 5
2009-01-01 21:30 . 2009-01-01 21:30 <DIR> d-------- c:\documents and settings\KEN\Application Data\Vso
2009-01-01 21:30 . 2009-01-01 21:30 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-01 21:30 . 2009-01-01 21:30 47,360 --a------ c:\documents and settings\KEN\Application Data\pcouffin.sys
2008-12-24 00:07 . 2008-12-24 00:07 <DIR> d-------- c:\program files\PhotoViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 17:43 --------- d-----w c:\documents and settings\KEN\Application Data\BitTorrent
2009-01-13 17:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-10 17:03 --------- d-----w c:\program files\BitTorrent
2009-01-02 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-14 07:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 00:48 --------- d-----w c:\documents and settings\KEN\Application Data\Move Networks
2008-11-29 01:22 --------- d-----w c:\program files\DVD Decrypter
2009-01-04 21:05 766,976 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\wdnbpwwwcc.dll
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_12.47.58.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-13 17:44:32 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-16 20:02:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-13 17:44:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-16 20:02:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-13 17:44:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-16 20:02:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spywareguard"="c:\program files\Spyware Guard 2009\spywareguard.exe" [BU]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-09-26 18:44 634672 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-03-21 20:30 1191936 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-09-22 22:10 1871872 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 17:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-03-21 13:19 69632 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
-ra------ 2005-04-26 05:22 589824 c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-30 00:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-07 21:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2005-03-11 11:33 147456 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
rundll32 msfacat32.dll,InitModule
.
- - - - ORPHANS REMOVED - - - -

BHO-{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4} - msfacat32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\KEN\Application Data\Mozilla\Firefox\Profiles\sl8axjxd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.connecticut.cox.net/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 15:09:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 15:12:55 - machine was rebooted [KEN]
ComboFix-quarantined-files.txt 2009-01-16 20:12:50
ComboFix2.txt 2009-01-13 17:49:04

Pre-Run: 7,402,594,304 bytes free
Post-Run: 7,393,329,152 bytes free

201 --- E O F --- 2007-11-15 08:03:22





Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:53 PM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\KEN\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2009\spywareguard.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 3286 bytes



Thanks again

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 January 2009 - 05:17 PM

Erm... Lets do an antirootkit scan...


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 16 January 2009 - 08:22 PM

I am doing the antirootkit scan now....

I don't know if this is important but at the beginning of the combofix scan I believe it says that I have rootkit installed, it asks me to write down the following files in case we need them later, and then it lists 10-12 files.

#8 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 16 January 2009 - 09:13 PM

here is the gmer scan log


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-16 21:07:14
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\Combo-Fix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Fastfat \Fat F0AE5C8A

---- EOF - GMER 1.0.14 ----

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 17 January 2009 - 02:03 AM

I don't know if this is important but at the beginning of the combofix scan I believe it says that I have rootkit installed, it asks me to write down the following files in case we need them later, and then it lists 10-12 files.


You really should do that..


Please download haxfix.exe and save it to your Desktop.
  • Just double-click haxfix.exe and press any key to continue
  • A red "dos window" (dos box) will open. Choose option 1. Make logfile and press Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt (C:\HaxFix\haxlog.txt)
  • Please post the contents of that logfile in your next reply.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 17 January 2009 - 04:12 AM

I did write them down. but i don't know what to do with them. Should they be deleted?

Here is the haxfig log:

HAXFIX logfile - by Marckie

version 5.057
Sat 01/17/2009 3:25:06.15
running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found


--- Checking for Goldun - Spybanker ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for random used files and services
these files are not necessarily malicious
C:\Documents and Settings\KEN\Desktop\xmas 2007\302CANON\Thumbs.db
C:\Documents and Settings\KEN\My Documents\BitTorrent Downloads\Britney Spears - Discography (1999-2007) [320] (7 CD) [h33t][migel]\Thumbs.db
C:\Documents and Settings\KEN\My Documents\videos\Trans-Siberian Orchestra Discography\Thumbs.db
C:\Drivers\Chipset\VIA\IDE\_ISDel.exe
C:\Drivers\Chipset\VIA\S3G\9XME\_ISDEL.EXE
C:\Drivers\Network\Intel\APPS\PROSet\XP_NET32\ianswxp.cat
C:\Program Files\CanonBJ\IJPrinter\Canon MP160\Prn2KXP\CNMSR.DL_
C:\WINDOWS\Fonts\ega40857.fon
C:\WINDOWS\Fonts\modern.fon
C:\WINDOWS\inf\netdf650.PNF
C:\WINDOWS\inf\mtxvideo.PNF
C:\WINDOWS\system32\batt.dll
C:\WINDOWS\system32\dciman32.dll
C:\WINDOWS\system32\eventvwr.exe
C:\WINDOWS\system32\fxsperf.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\batt.dll
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\dciman32.dll
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\fxsperf.dll
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\snmptrap.exe
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tty.dll
C:\WINDOWS\system32\dllcache\batt.dll
C:\WINDOWS\system32\dllcache\dciman32.dll
C:\WINDOWS\system32\dllcache\eventvwr.exe
C:\WINDOWS\system32\dllcache\fxsperf.dll
C:\WINDOWS\system32\dllcache\modern.fon
C:\WINDOWS\system32\dllcache\snmptrap.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMVS83.DLL
C:\WINDOWS\system32\spool\drivers\w32x86\canonmp160103c\CNMVS83.DLL
no matching services found

checking for browser helper objects
no known browser helper objects found

checking for appinit files
no files found

checking for possible infected files
please submit these file here: http://www.bleepingcomputer.com/submit-mal....php?channel=11
no files found

checking for Active Setup Installed Components
{5EB96953-7D02-4594-AC15-F55FC9AACFCB}

checking iexplore.exe
iexplore.exe is not infected


--- Checking for other Goldun, Spybanker and Haxdoor files ---
no other Haxdoor or Goldun files found


--- Catchme logfile - thank you Gmer ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 03:55:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 17 January 2009 - 05:07 AM

I did write them down. but i don't know what to do with them.


Post what you wrote here :thumbsup:


IMPORTANT!: Please create a fresh Restore Point before proceed with our fix. Please visit this webpage if you do not know how..

If you are using Windows Vista, please visit this webpage for more information.


  • Please double-click haxfix.exe (C:\haxfix.exe) and choose option 1 and press Enter. Let it finish until a haxlog.txt appears
  • Double-click again haxfix.exe and choose option 2. Run autofix and press Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (C:\HaxFix\haxlog.txt)
  • Post the contents of that logfile along with a new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 17 January 2009 - 11:14 AM

From the first time I ran combofix the following were the rootkit activity


C:windows\system32\drivers\TDSSmqxt.sys
C:windows\system32\TDSSoeqh.dll
C:windows\system32\TDSSnvsr.dat
C:windows\system32\TDSSfpmp.dll
C:windows\system32\TDSSnmxa.dll
C:windows\system32\TDSSsbhc.dll
C:windows\system32\TDSSthym.dll
C:windows\system32\TDSSkpjp.log
C:windows\system32\TDSSbubx.log
C:windows\system32\TDSSvvbi.dll
C:windows\system32\TDSSbivk.log



and from the second time I ran combofix I got this second list

C:windows\system32\twex.exe
C:windows\system32\drivers\TDSS.cqcs.sys
C:windows\system32\TDSSmyjc.dll
C:windows\system32\TDSSloll.dat
C:windows\system32\TDSSnraw.dll
C:windows\system32\TDSSjiyg.dll
C:windows\system32\TDSSibwu.dll
C:windows\system32\TDSSvcvd.dll
C:windows\system32\TDSSntyq.log
C:windows\system32\TDSSnmxh.log
C:windows\system32\TDSSfvhc.dll
C:windows\system32\TDSSyham.log

#13 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 17 January 2009 - 12:29 PM

I ran the haxfix "autofix" and it took only about ten seconds and it found nothing. It went back to the menu without a reboot or a log report.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 17 January 2009 - 03:27 PM

Thank you for the lists :thumbsup:


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
TDSS.sys

Rootkit::
c:\windows\system32\msfacat32.dll
C:windows\system32\twex.exe
C:windows\system32\drivers\TDSS.cqcs.sys
C:windows\system32\TDSSmyjc.dll
C:windows\system32\TDSSloll.dat
C:windows\system32\TDSSnraw.dll
C:windows\system32\TDSSjiyg.dll
C:windows\system32\TDSSibwu.dll
C:windows\system32\TDSSvcvd.dll
C:windows\system32\TDSSntyq.log
C:windows\system32\TDSSnmxh.log
C:windows\system32\TDSSfvhc.dll
C:windows\system32\TDSSyham.log
C:windows\system32\drivers\TDSSmqxt.sys
C:windows\system32\TDSSoeqh.dll
C:windows\system32\TDSSnvsr.dat
C:windows\system32\TDSSfpmp.dll
C:windows\system32\TDSSnmxa.dll
C:windows\system32\TDSSsbhc.dll
C:windows\system32\TDSSthym.dll
C:windows\system32\TDSSkpjp.log
C:windows\system32\TDSSbubx.log
C:windows\system32\TDSSvvbi.dll
C:windows\system32\TDSSbivk.log

File::
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\wdnbpwwwcc.dll
c:\windows\system32\msfacat32.dll
C:windows\system32\twex.exe
C:windows\system32\drivers\TDSS.cqcs.sys
C:windows\system32\TDSSmyjc.dll
C:windows\system32\TDSSloll.dat
C:windows\system32\TDSSnraw.dll
C:windows\system32\TDSSjiyg.dll
C:windows\system32\TDSSibwu.dll
C:windows\system32\TDSSvcvd.dll
C:windows\system32\TDSSntyq.log
C:windows\system32\TDSSnmxh.log
C:windows\system32\TDSSfvhc.dll
C:windows\system32\TDSSyham.log
C:windows\system32\drivers\TDSSmqxt.sys
C:windows\system32\TDSSoeqh.dll
C:windows\system32\TDSSnvsr.dat
C:windows\system32\TDSSfpmp.dll
C:windows\system32\TDSSnmxa.dll
C:windows\system32\TDSSsbhc.dll
C:windows\system32\TDSSthym.dll
C:windows\system32\TDSSkpjp.log
C:windows\system32\TDSSbubx.log
C:windows\system32\TDSSvvbi.dll
C:windows\system32\TDSSbivk.log

Folder::
c:\program files\Spyware Guard 2009

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spywareguard"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]

DirLook::
c:\windows\system32\twain32

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 cowboyken072474

cowboyken072474
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 18 January 2009 - 10:19 AM

I have done as you have asked. here are the new log reports.

Combofix



ComboFix 09-01-17.03 - KEN 2009-01-17 22:52:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.201 [GMT -5:00]
Running from: c:\documents and settings\KEN\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\KEN\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\wdnbpwwwcc.dll
c:\windows\system32\msfacat32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\wdnbpwwwcc.dll
c:\windows\system32\msfacat32.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 03:24 . 2009-01-17 12:26 <DIR> d-------- C:\HaxFix
2009-01-17 03:24 . 2009-01-17 03:20 512,214 --a------ C:\HaxFix.exe
2009-01-16 20:08 . 2009-01-16 20:08 250 --a------ c:\windows\gmer.ini
2009-01-13 18:31 . 2009-01-16 14:47 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-10 12:14 . 2009-01-10 12:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 12:14 . 2009-01-10 12:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 12:14 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 12:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 12:03 . 2009-01-17 22:56 <DIR> d-------- c:\program files\DNA
2009-01-10 12:03 . 2009-01-17 22:56 <DIR> d-------- c:\documents and settings\KEN\Application Data\DNA
2009-01-09 21:23 . 2009-01-09 21:44 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-04 20:33 . 2006-01-16 20:43 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-04 20:33 . 2006-01-16 21:21 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-04 20:33 . 2006-02-10 14:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-01-04 20:33 . 2006-02-10 15:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-04 20:33 . 2006-01-16 22:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-01-04 20:33 . 2006-01-16 22:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-01-04 20:33 . 2009-01-04 20:33 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 21:30 . 2009-01-01 21:30 <DIR> d-------- c:\program files\DVDFab 5
2009-01-01 21:30 . 2009-01-01 21:30 <DIR> d-------- c:\documents and settings\KEN\Application Data\Vso
2009-01-01 21:30 . 2009-01-01 21:30 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-01 21:30 . 2009-01-01 21:30 47,360 --a------ c:\documents and settings\KEN\Application Data\pcouffin.sys
2008-12-24 00:07 . 2008-12-24 00:07 <DIR> d-------- c:\program files\PhotoViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 17:43 --------- d-----w c:\documents and settings\KEN\Application Data\BitTorrent
2009-01-13 17:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-10 17:03 --------- d-----w c:\program files\BitTorrent
2009-01-02 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-14 07:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 00:48 --------- d-----w c:\documents and settings\KEN\Application Data\Move Networks
2008-11-29 01:22 --------- d-----w c:\program files\DVD Decrypter
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\twain32 ----

2009-01-16 14:47 83943 --a------ c:\windows\system32\twain32\local.ds
2009-01-13 18:42 0 --a------ c:\windows\system32\twain32\user.ds


((((((((((((((((((((((((((((( snapshot@2009-01-13_12.47.58.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-17 01:08:18 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2009-01-13 17:44:32 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-16 20:02:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-13 17:44:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-16 20:02:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-17 01:08:18 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-09-26 18:44 634672 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-03-21 20:30 1191936 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-09-22 22:10 1871872 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 17:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-03-21 13:19 69632 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
-ra------ 2005-04-26 05:22 589824 c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-30 00:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-07 21:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2005-03-11 11:33 147456 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\KEN\Application Data\Mozilla\Firefox\Profiles\sl8axjxd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.connecticut.cox.net/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 22:55:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-17 22:59:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 03:59:13
ComboFix2.txt 2009-01-16 20:12:57
ComboFix3.txt 2009-01-13 17:49:04

Pre-Run: 7,398,354,944 bytes free
Post-Run: 7,385,858,048 bytes free

157 --- E O F --- 2007-11-15 08:03:22




hijacktis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:06 AM, on 1/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\KEN\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 3200 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users