Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with something - not sure what


  • This topic is locked This topic is locked
10 replies to this topic

#1 utopist1

utopist1

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 26 January 2009 - 08:01 PM

HI - I think I might have accidentally downloaded a virus of some kind. I tried running all kinds of anti virus type programs but I keep getting messages like "you are infected with spyware would you like to run a scan?" this is not from any of my programs and repeats constantly - also have another one that says it is IE and says "in order to continue hit cancel" - this just repeats over and over. I would appreciate your help cleaning things up - I will attach the DDS files as suggested - I also have an older (I assume) version of Hijack this - it has been a few years since I needed it. Thanks for your help - Gary



DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 16:41:27.65 on Mon 01/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.sbc.com/dsl
uDefault_Page_URL = hxxp://us7.hpwis.com/
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://yahoo.sbc.com/dsl
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = localhost
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: PaltalkWebLogin: {502c3ba4-2c3e-4317-bc29-c0445e82b1f9} - c:\program files\common files\paltalk\PaltalkWebLogin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Cognac] c:\docume~1\owner\locals~1\temp\~tmpa.exe
uRun: [MSFox] c:\docume~1\owner\locals~1\temp\a.exe
mRun: [YBrowser] c:\program files\yahoo!\browser\ybrwicon.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [IPInSightMonitor 02] "c:\program files\visual networks\visual ip insight\sbc\IPMon32.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [2wSysTray] c:\program files\2wire\2PortalMon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SpyHunter]
mRun: [tcactive] c:\program files\the cleaner\tca.exe
mRun: [tcmonitor] c:\program files\the cleaner\tcm.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /l*v c:\windows\temp\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\r6cj40ah.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-26 01:35 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-26 01:35 1,409 a------- c:\windows\QTFont.for
2009-01-26 01:31 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-25 23:29 76,288 a------- c:\windows\system32\sk0trT68.exe
2009-01-25 23:29 0 a------- c:\windows\system32\sk0trT68.exe.a_a
2009-01-25 23:29 105,476 a------- c:\windows\system32\msxml71.dll
2008-12-31 12:18 2,072,608 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-31 12:18 23,636 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-31 11:58 75,248 a------- c:\windows\zllsputility.exe
2008-12-31 11:58 11,264 a------- c:\windows\system32\SpOrder.dll
2008-12-31 11:56 1,086,952 a------- c:\windows\system32\zpeng24.dll

==================== Find3M ====================

2008-12-31 12:15 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-11 03:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-04 18:52 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-15 18:05 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe

============= FINISH: 16:46:55.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:22 AM

Posted 27 January 2009 - 04:24 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 utopist1

utopist1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 28 January 2009 - 03:51 AM

Thanks for the help - I hope I did this right - I had trouble the first time running comboFix - it would not create a log file - I had to shut down and redo - This seems rather long but here it is - Thanks again - Gary

ComboFix 09-01-21.04 - Owner 2009-01-28 0:25:52.2 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090127-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\open.ico
c:\windows\system32\sk0trT68.exe.a_a
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 01:35 . 2009-01-28 00:02 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-26 01:35 . 2009-01-26 01:35 1,409 --a------ c:\windows\QTFont.for
2009-01-26 01:31 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-26 01:30 . 2009-01-26 01:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-25 23:29 . 2009-01-25 23:45 76,288 --a------ c:\windows\system32\sk0trT68.exe
2008-12-31 12:18 . 2009-01-27 23:51 2,177,056 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-31 12:18 . 2009-01-26 21:26 25,004 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-31 12:01 . 2008-12-31 12:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-31 11:58 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-12-31 11:58 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-31 11:56 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 08:09 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-28 08:03 --------- d-----w c:\program files\The Cleaner
2009-01-27 00:03 --------- d-----w c:\program files\ewido anti-malware
2009-01-26 20:25 --------- d-----w c:\program files\Lavasoft
2009-01-26 20:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-26 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-28 00:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 15:44 --------- d-----w c:\program files\Common Files\Logitech
2008-12-17 15:41 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 01:50 --------- d-----w c:\program files\Yahoo!
2008-12-05 02:52 --------- d-----w c:\program files\Java
2008-11-16 02:05 127,034 ------r c:\windows\bwUnin-8.1.1.50-8876480SL.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-05-18 77824]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-08-18 380928]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-01 311350]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-21 188416]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-09-15 393216]
"tcactive"="c:\program files\The Cleaner\tca.exe" [2004-04-09 631808]
"tcmonitor"="c:\program files\The Cleaner\tcm.exe" [2004-03-13 388096]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2002-09-09 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\System32\msiexec.exe" [2005-03-21 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2004-02-17 217088]
FlashPath Monitor.lnk - c:\program files\SmartDisk\FlashPath\sdstat.exe [2003-05-21 184320]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-15 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-15 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-08-01 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-01 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-26 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-26 20560]
R4 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2003-05-21 72784]
R4 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2003-05-21 73296]

--- Other Services/Drivers In Memory ---

*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - vsmon
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7b383ee-8bf0-11db-b137-00402b4e83fc}]
\Shell\AutoRun\command - f:\truecrypt\TrueCrypt.exe /q /a /e /m rm /v "client.tc"
\Shell\dismount\command - f:\truecrypt\TrueCrypt.exe /q /d
\Shell\mount\command - f:\truecrypt\TrueCrypt.exe /q /a /e /m rm /v "client.tc"
\Shell\open\command - f:\truecrypt\TrueCrypt.exe /e /m rm /v "client.tc"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\A6E8781C91ABF180.job
- c:\docume~1\owner\applic~1\surfho~1\JOYINFOENC.exe []

2009-01-28 c:\windows\Tasks\A97551B291AAC39E.job
- c:\progra~1\surfho~1\JOYINFOENC.exe []

2009-01-28 c:\windows\Tasks\ADCB55189184D0E4.job
- c:\progra~1\surfho~1\JOYINFOENC.exe []

2009-01-28 c:\windows\Tasks\AFB6DB2493B950D8.job
- c:\docume~1\owner\applic~1\surfho~1\JOYINFOENC.exe []

2009-01-26 c:\windows\Tasks\At1.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At10.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At11.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At12.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At13.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At14.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At15.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At16.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At17.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At18.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At19.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At2.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At20.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At21.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At22.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-28 c:\windows\Tasks\At23.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-28 c:\windows\Tasks\At24.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At25.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At26.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At27.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At28.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At29.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At3.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At30.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At31.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At32.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At33.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At34.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At35.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At36.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At37.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At38.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At39.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At4.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At40.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At41.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-28 c:\windows\Tasks\At42.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At43.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At44.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At45.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-27 c:\windows\Tasks\At46.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-28 c:\windows\Tasks\At47.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-28 c:\windows\Tasks\At48.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At5.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At6.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At7.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At8.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2009-01-26 c:\windows\Tasks\At9.job
- c:\windows\system32\sk0trT68.exe [2009-01-25 23:45]

2008-10-18 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe []

2004-08-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SpyHunter - (no file)
HKU-Default-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKU-Default-Run-Cognac - c:\windows\TEMP\1.tmp.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r6cj40ah.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 00:34:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3972)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-01-28 0:45:00
ComboFix-quarantined-files.txt 2009-01-28 08:44:45

Pre-Run: 4,000,174,080 bytes free
Post-Run: 3,988,721,664 bytes free

303 --- E O F --- 2009-01-15 02:00:58

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:22 AM

Posted 28 January 2009 - 05:32 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\sk0trT68.exe
c:\windows\Tasks\AFB6DB2493B950D8.job
c:\windows\Tasks\ADCB55189184D0E4.job
c:\windows\Tasks\A97551B291AAC39E.job
c:\windows\Tasks\A6E8781C91ABF180.job
AtJob::


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 utopist1

utopist1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 29 January 2009 - 12:24 AM

HI - I don't exactly know why but I don't have notepad. The posts above were put into word - I don't ever recall deleting it and I have the links for it but it always comes back stating it can't be found - I tried to browse for it but can't find it. Gary

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:22 AM

Posted 29 January 2009 - 04:20 AM

Hi,

What do you get if you rightclick your desktop and select "create new textfile" from the context menu?
Does it open notepad?
Also, the logs that open after the scan should open in notepad. So I assume that in your case, logs open in word and the association is set to open txtfiles and logs in word?

Anyway, it could be possible that your notepad.exe is indeed missing since there are malware variants that may replace it with an infected copy and most probably a scanner already deleted it.

Go to http://www.kellys-korner-xp.com/xp_tweaks.htm and scroll down to Number 326 (left column) and click on "Restore Notepad.exe" in order to download notepad.zip
Unzip it and copy notepad.exe into your C:\Windows folder and C:\Windows\system32 folder
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 utopist1

utopist1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 30 January 2009 - 12:59 AM

Hi - I think I messed this up - arrrggg - when I I followed the directions above, I somehow lost the text file so I redid it per the directions. I am guessing the text came out different. I did have to restore notepad. When I right clicked it would give me the notepad icon but when I tried to open it it would ask what program I wanted to open it with - notepad was not in the list. Anyway - here is the log file. Hopefully it is still useful. Thanks for your patience - Gary


ComboFix 09-01-21.04 - Owner 2009-01-29 21:19:03.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.53 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090129-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\sk0trT68.exe
c:\windows\Tasks\A6E8781C91ABF180.job
c:\windows\Tasks\A97551B291AAC39E.job
c:\windows\Tasks\ADCB55189184D0E4.job
c:\windows\Tasks\AFB6DB2493B950D8.job
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-29 20:15 . 2004-08-03 23:56 69,120 --a------ c:\windows\system32\notepad.exe
2009-01-29 20:15 . 2004-08-03 23:56 69,120 --a--c--- c:\windows\system32\dllcache\notepad.exe
2009-01-26 01:35 . 2009-01-29 21:02 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-26 01:35 . 2009-01-28 00:45 1,409 --a------ c:\windows\QTFont.for
2009-01-26 01:31 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-26 01:30 . 2009-01-26 01:30 <DIR> d-------- c:\program files\Alwil Software
2008-12-31 12:18 . 2009-01-29 20:52 2,279,456 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-31 12:18 . 2009-01-28 23:27 26,564 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-31 12:01 . 2008-12-31 12:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-31 11:58 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-12-31 11:58 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-31 11:56 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-17 07:43 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-12-04 18:52 . 2008-12-04 18:52 <DIR> d-------- c:\program files\Java
2008-12-04 18:52 . 2008-12-04 18:52 73,728 --a------ c:\windows\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 05:03 --------- d-----w c:\program files\The Cleaner
2009-01-30 02:27 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-27 00:03 --------- d-----w c:\program files\ewido anti-malware
2009-01-26 20:25 --------- d-----w c:\program files\Lavasoft
2009-01-26 20:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-26 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-28 00:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 15:44 --------- d-----w c:\program files\Common Files\Logitech
2008-12-17 15:41 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 01:50 --------- d-----w c:\program files\Yahoo!
2008-11-16 02:05 127,034 ------r c:\windows\bwUnin-8.1.1.50-8876480SL.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_ 0.41.23.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-30 04:59:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_54c.dat
+ 2009-01-30 04:59:47 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_720.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-05-18 77824]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-08-18 380928]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-01 311350]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-21 188416]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-09-15 393216]
"tcactive"="c:\program files\The Cleaner\tca.exe" [2004-04-09 631808]
"tcmonitor"="c:\program files\The Cleaner\tcm.exe" [2004-03-13 388096]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2002-09-09 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\System32\msiexec.exe" [2005-03-21 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2004-02-17 217088]
FlashPath Monitor.lnk - c:\program files\SmartDisk\FlashPath\sdstat.exe [2003-05-21 184320]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-15 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-15 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-08-01 65588]
Script execution time was exceeded on script "c:\combofix\lnkread.vbs".
Script execution was terminated.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-26 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-26 20560]
R4 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2003-05-21 72784]
R4 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2003-05-21 73296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7b383ee-8bf0-11db-b137-00402b4e83fc}]
\Shell\AutoRun\command - f:\truecrypt\TrueCrypt.exe /q /a /e /m rm /v "client.tc"
\Shell\dismount\command - f:\truecrypt\TrueCrypt.exe /q /d
\Shell\mount\command - f:\truecrypt\TrueCrypt.exe /q /a /e /m rm /v "client.tc"
\Shell\open\command - f:\truecrypt\TrueCrypt.exe /e /m rm /v "client.tc"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe []

2004-08-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r6cj40ah.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 21:28:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(860)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-01-29 21:43:18
ComboFix-quarantined-files.txt 2009-01-30 05:43:01
ComboFix2.txt 2009-01-30 04:52:12
ComboFix3.txt 2009-01-28 08:45:14

Pre-Run: 3,953,922,048 bytes free
Post-Run: 3,943,133,184 bytes free

190 --- E O F --- 2009-01-15 02:00:58

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:22 AM

Posted 30 January 2009 - 02:31 AM

Hi,

Hi - I think I messed this up - arrrggg - when I I followed the directions above, I somehow lost the text file so I redid it per the directions. I am guessing the text came out different. I did have to restore notepad. When I right clicked it would give me the notepad icon but when I tried to open it it would ask what program I wanted to open it with - notepad was not in the list. Anyway - here is the log file. Hopefully it is still useful. Thanks for your patience - Gary

It looks like the txt association is also broken in your case..
To fix this, Go to http://www.kellys-korner-xp.com/xp_tweaks.htm and scroll down to Number 305 (right column) and click on "Set Txtfile to Default to Notepad" in order to download txtfilenotepad.reg
If you're using firefox, then you should click the link and choose "save as". Or just use IE to download it.
Download it to your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
This should restore the default association for txt files (notepad).

Anyway, your log looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 utopist1

utopist1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 30 January 2009 - 11:52 PM

Hi - I did as instructed. when I ran the program to delete ComboFix my computer froze once again and I had to reboot. I tried to re-run the delete since the ComboFix icon was still there but it said it couldn't find ComboFix, so I assume it did the job. Truthfully my computer has been running much better since the first time I ran ComboFix. I appreciate all your help. Thanks. I really appreciate all of you who help on here. You all have saved me a lot of $$ over the 3 or 4 times I have gone through this with my and my kids computers. Tell me where to go to make a donation and I will straight away. Thanks again - Gary

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:22 AM

Posted 31 January 2009 - 05:38 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:22 AM

Posted 05 February 2009 - 06:58 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users