Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2010


  • This topic is locked This topic is locked
8 replies to this topic

#1 shally429

shally429

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 12 March 2009 - 01:41 PM

Hi all, Rigel helped me LOTS but has said even though everything appears to be working I still have some of the virus. Here is the thread. And here are the 2 logs from the HJT scan..Thanks for the help!


DDS (Ver_09-02-01.01) - NTFSx86
Run by User at 14:36:21.01 on Thu 03/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.351 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Documents and Settings\User\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3663b765-f46d-4c77-9f3f-a09ed6d043dc} - c:\windows\system32\efcDVmNG.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
TB: {9210542E-CB2E-4771-A704-D5173248A900} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [Aim6]
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [cdloader] "c:\documents and settings\user\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NGTray] "c:\program files\symantec\ghost\ngtray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.1\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: aol.com\free
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://couponmom.coupons.smartsource.com/download/cscmv5X.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192221511453
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: giaxpj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcyaXrP

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\o3070gvw.default\
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\o3070gvw.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-15 298264]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-17 266240]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\symantec\ghost\ngctw32.exe [2007-4-20 632456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-5 24652]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
RUnknown afwcore;afwcore; [x]
RUnknown SandBox;SandBox; [x]
S1 hidparsee;hidparsee;c:\windows\system32\drivers\hidparsee.sys --> c:\windows\system32\drivers\hidparsee.sys [?]

=============== Created Last 30 ================

2009-03-07 20:45 <DIR> --d----- c:\program files\iPod
2009-03-07 20:44 <DIR> --d----- c:\program files\iTunes
2009-03-07 20:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-07 20:24 <DIR> --d----- c:\program files\Bonjour
2009-03-07 11:40 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-03-06 22:15 <DIR> --d----- c:\docume~1\user\applic~1\YouDataAIR.CDA5CEB063BC2A22C44BAA035F25F65FCCDA2208.1
2009-03-06 22:15 <DIR> --d----- c:\program files\YouData
2009-03-05 10:17 <DIR> --d----- c:\program files\AKProg
2009-03-04 14:58 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-03-04 14:58 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-03 11:21 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-03 10:59 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\MPK
2009-02-28 15:09 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-02-28 15:04 <DIR> --d--r-- c:\program files\Skype
2009-02-18 10:41 3,544 a------- c:\windows\system32\tmp.reg
2009-02-18 10:41 <DIR> --d----- c:\documents and settings\user\SmitfraudFix
2009-02-17 20:12 <DIR> --d----- C:\fsaua.data
2009-02-17 19:39 266,240 a------- c:\windows\system32\CSHelper.exe
2009-02-17 19:39 225,280 a------- c:\windows\system32\CSInstru.DLL
2009-02-17 19:39 <DIR> --d----- c:\windows\ArtistScope Plugin FX 42
2009-02-17 16:54 552 a------- c:\windows\system32\d3d8caps.dat
2009-02-17 15:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-17 15:14 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-02-17 15:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-17 11:09 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-17 10:47 <DIR> --d----- c:\windows\ERUNT
2009-02-17 10:16 <DIR> --d----- C:\SDFix
2009-02-16 12:00 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-02-16 12:00 <DIR> --d----- c:\docume~1\user\applic~1\Spyware Terminator
2009-02-16 12:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-02-16 12:00 <DIR> --d----- c:\program files\Spyware Terminator
2009-02-15 22:38 <DIR> --d----- c:\program files\Agnitum
2009-02-15 20:04 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-02-15 20:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-15 20:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-15 20:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-15 20:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-15 17:21 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-15 17:17 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-15 17:17 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-15 17:17 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-15 17:16 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-15 17:16 <DIR> --d----- c:\docume~1\user\applic~1\AVGTOOLBAR
2009-02-15 17:16 <DIR> --d----- c:\program files\AVG
2009-02-15 17:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-02-17 10:34 170,884 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-01-17 13:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-12 10:49 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2008-09-15 12:33 858,118 a--sh--- c:\windows\system32\GNmVDcfe.ini2
2008-09-15 20:29 6,358 a--sh--- c:\windows\system32\PrXaycfe.ini2

============= FINISH: 14:36:50.26 ===============

Attached Files


Edited by shally429, 12 March 2009 - 01:42 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:25 AM

Posted 18 March 2009 - 02:35 PM

Hello Shally429,

Who uses this computer? Your family, or only you?


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
    You want the 32-bit version, not the 64 bit version :!:
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12".
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language, then press Continue Selecting Windows give you the 32 bit version.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u12-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 11
    Java™ 6 Update 7
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

We will run ComboFix.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.


Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.

Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.
A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 shally429

shally429
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 24 March 2009 - 12:06 PM

sorry it took so long to respond. i uninstalled all the old java programs and installed the update you told me to. here is the combofix log. thank you again

ComboFix 09-03-23.01 - User 2009-03-24 12:51:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.575 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\GNmVDcfe.ini
c:\windows\system32\GNmVDcfe.ini2
c:\windows\system32\PrXaycfe.ini
c:\windows\system32\PrXaycfe.ini2
c:\windows\system32\qrxbmqup.ini
c:\windows\system32\semtpiex.ini
c:\windows\system32\skgcddcy.ini
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-24 12:46 . 2009-03-24 12:46 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-24 12:21 . 2009-03-24 12:21 <DIR> d-------- c:\program files\Big Kahuna Reef
2009-03-24 12:21 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr
2009-03-23 14:36 . 2009-03-23 14:36 <DIR> dr-h----- C:\MSOCache
2009-03-15 17:12 . 2009-03-15 17:12 <DIR> d-------- c:\windows\aim95
2009-03-15 17:12 . 2004-08-04 08:00 112,128 --a------ c:\windows\system32\mapi32bak.dll
2009-03-15 17:11 . 2009-03-15 17:12 <DIR> d-------- c:\program files\Netscape
2009-03-15 17:11 . 2001-10-17 04:31 634,065 --a------ c:\windows\cd32.exe
2009-03-15 17:11 . 2001-10-17 02:20 61,952 --a------ c:\windows\system32\nabapi32.dll
2009-03-13 11:44 . 2009-03-13 11:44 <DIR> d-------- c:\program files\PayPal
2009-03-13 11:43 . 2009-03-13 11:43 <DIR> d-------- c:\documents and settings\User\Application Data\InstallShield
2009-03-07 20:45 . 2009-03-07 20:45 <DIR> d-------- c:\program files\iPod
2009-03-07 20:44 . 2009-03-07 20:45 <DIR> d-------- c:\program files\iTunes
2009-03-07 20:44 . 2009-03-07 20:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-07 20:42 . 2009-03-07 20:43 <DIR> d-------- c:\program files\QuickTime
2009-03-07 20:24 . 2009-03-07 20:24 <DIR> d-------- c:\program files\Bonjour
2009-03-07 11:40 . 2009-03-07 11:40 202,072 -ra------ c:\windows\system32\cpnprt2.cid
2009-03-06 22:15 . 2009-03-06 22:15 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-06 22:15 . 2009-03-06 22:15 <DIR> d-------- c:\documents and settings\User\Application Data\YouDataAIR.CDA5CEB063BC2A22C44BAA035F25F65FCCDA2208.1
2009-03-04 14:58 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-03-04 14:58 . 2008-04-13 11:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-03-03 10:59 . 2009-03-03 22:02 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\MPK
2009-02-28 15:09 . 2009-03-24 12:42 <DIR> d-------- c:\documents and settings\User\Application Data\skypePM
2009-02-28 15:09 . 2009-02-28 15:09 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-28 15:05 . 2009-03-24 12:42 <DIR> d-------- c:\documents and settings\User\Application Data\Skype
2009-02-28 15:04 . 2009-02-28 15:04 <DIR> dr------- c:\program files\Skype
2009-02-28 15:04 . 2009-02-28 15:04 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-28 15:04 . 2009-02-28 15:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 16:42 --------- d-----w c:\documents and settings\User\Application Data\OpenOffice.org2
2009-03-24 16:42 --------- d-----w c:\documents and settings\User\Application Data\mjusbsp
2009-03-24 16:37 --------- d-----w c:\program files\Java
2009-03-24 16:26 --------- d-----w c:\program files\The Scruffs
2009-03-21 02:32 --------- d-----w c:\program files\Coupons
2009-03-21 02:28 --------- d-----w c:\documents and settings\User\Application Data\LimeWire
2009-03-18 23:52 --------- d-----w c:\program files\Common Files\Adobe
2009-03-13 15:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 00:50 --------- d-----w c:\program files\Safari
2009-03-08 00:45 --------- d-----w c:\program files\Common Files\Apple
2009-03-06 01:54 --------- d-----w c:\program files\Buildalot
2009-03-04 21:14 --------- d-----w c:\program files\LimeWire
2009-03-04 02:11 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-17 19:14 --------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-02-17 19:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-16 18:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 15:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 00:30 --------- d-----w c:\documents and settings\User\Application Data\AVGTOOLBAR
2009-02-16 00:04 --------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-02-16 00:03 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-15 21:17 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-15 21:17 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-15 21:16 --------- d-----w c:\program files\AVG
2009-02-15 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-15 20:55 --------- d-----w c:\program files\Yahoo!
2009-02-15 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 16:57 --------- d-----w c:\documents and settings\User\Application Data\TheScruffs
2009-02-04 05:53 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-02-03 22:05 --------- d-----w c:\program files\Jewel Quest 2
2009-02-03 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\Amazon
2009-02-03 02:03 --------- d-----w c:\documents and settings\User\Application Data\Kodak
2009-02-03 01:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-01-31 21:28 --------- d-----w c:\program files\Mystery Case Files - Madame Fate
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2004-08-06 2502656]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"cdloader"="c:\documents and settings\User\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2007-04-20 181896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-15 1601304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-15 17:17 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=giaxpj.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\User\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-15 298264]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-17 266240]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2007-04-20 632456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-05 24652]
S1 hidparsee;hidparsee;c:\windows\system32\drivers\hidparsee.sys --> c:\windows\system32\drivers\hidparsee.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1910237b-928d-11dd-b62c-001321f4fb2a}]
\Shell\AutoRun\command - G:\PMB_Portable.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-03-17 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -

BHO-{3663B765-F46D-4C77-9F3F-A09ED6D043DC} - c:\windows\system32\efcDVmNG.dll
WebBrowser-{9210542E-CB2E-4771-A704-D5173248A900} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aol.com\free
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\o3070gvw.default\
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 13:00:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\User\Application Data\Skype\shally4291\dc.lock 0 bytes
c:\documents and settings\User\Application Data\Skype\shally4291\main.lock 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\dimsntfy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-24 13:02:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 17:02:33

Pre-Run: 58,442,018,816 bytes free
Post-Run: 58,658,713,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

224 --- E O F --- 2009-03-15 15:52:39

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:25 AM

Posted 24 March 2009 - 01:45 PM

Hi shally429,

Who uses this computer? Your family, or only you, your parents, brothers or sisters?

sorry it took so long to respond. i uninstalled all the old java programs and installed the update you told me to. here is the combofix log. thank you again



Please DO NOT use text messaging in your replys. Use captials and normal English.

Edited by SifuMike, 24 March 2009 - 01:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 shally429

shally429
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 27 March 2009 - 12:04 PM

My husband and I are the only ones who use this computer. Thank you

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:25 AM

Posted 28 March 2009 - 09:44 PM

Hi Shally429,

Sorry for such a long wait. I did not get a message that you posted a reply.

Uninstall Coupons via add/remove programs.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I??ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\cpnprt2.cid
c:\windows\system32\drivers\hidparsee.sys
E:\autorun.exe

Folder::
c:\program files\Coupons

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

Driver::
hidparsee


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 shally429

shally429
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 02 April 2009 - 02:28 PM

Thank you, here is the log..

ComboFix 09-04-01.01 - User 2009-04-02 15:15:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.508 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\cpnprt2.cid
c:\windows\system32\drivers\hidparsee.sys
E:\autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\uninstall.exe
F:\autorun.inf
E:\autorun.exe . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HIDPARSEE
-------\Service_hidparsee


((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-01 10:07 . 2009-04-01 10:07 <DIR> d-------- c:\documents and settings\User\.clipbak
2009-04-01 10:06 . 2009-04-01 10:06 <DIR> d-------- c:\documents and settings\User\Application Data\Cycling '74
2009-03-27 21:07 . 2009-03-27 21:07 <DIR> d-------- c:\program files\iTunes
2009-03-27 21:07 . 2009-03-27 21:07 <DIR> d-------- c:\program files\iPod
2009-03-27 21:07 . 2009-03-27 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-27 21:05 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-24 12:46 . 2009-03-24 12:46 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-24 12:21 . 2009-03-25 12:14 <DIR> d-------- c:\program files\Big Kahuna Reef
2009-03-24 12:21 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr
2009-03-23 14:36 . 2009-03-23 14:36 <DIR> dr-h----- C:\MSOCache
2009-03-15 17:12 . 2009-03-15 17:12 <DIR> d-------- c:\windows\aim95
2009-03-15 17:12 . 2004-08-04 08:00 112,128 --a------ c:\windows\system32\mapi32bak.dll
2009-03-15 17:11 . 2009-03-15 17:12 <DIR> d-------- c:\program files\Netscape
2009-03-15 17:11 . 2001-10-17 04:31 634,065 --a------ c:\windows\cd32.exe
2009-03-15 17:11 . 2001-10-17 02:20 61,952 --a------ c:\windows\system32\nabapi32.dll
2009-03-13 11:44 . 2009-03-13 11:44 <DIR> d-------- c:\program files\PayPal
2009-03-13 11:43 . 2009-03-13 11:43 <DIR> d-------- c:\documents and settings\User\Application Data\InstallShield
2009-03-07 20:42 . 2009-03-07 20:43 <DIR> d-------- c:\program files\QuickTime
2009-03-07 20:24 . 2009-03-07 20:24 <DIR> d-------- c:\program files\Bonjour
2009-03-06 22:15 . 2009-03-06 22:15 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-06 22:15 . 2009-03-06 22:15 <DIR> d-------- c:\documents and settings\User\Application Data\YouDataAIR.CDA5CEB063BC2A22C44BAA035F25F65FCCDA2208.1
2009-03-04 14:58 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-03-04 14:58 . 2008-04-13 11:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-03-03 10:59 . 2009-03-03 22:02 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\MPK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 19:24 --------- d-----w c:\documents and settings\User\Application Data\mjusbsp
2009-04-01 18:47 --------- d-----w c:\documents and settings\User\Application Data\skypePM
2009-04-01 18:47 --------- d-----w c:\documents and settings\User\Application Data\Skype
2009-03-28 01:48 --------- d-----w c:\documents and settings\User\Application Data\LimeWire
2009-03-28 01:07 --------- d-----w c:\program files\Common Files\Apple
2009-03-25 00:52 --------- d-----w c:\documents and settings\User\Application Data\OpenOffice.org2
2009-03-24 16:37 --------- d-----w c:\program files\Java
2009-03-24 16:26 --------- d-----w c:\program files\The Scruffs
2009-03-18 23:52 --------- d-----w c:\program files\Common Files\Adobe
2009-03-13 15:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 00:50 --------- d-----w c:\program files\Safari
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 01:54 --------- d-----w c:\program files\Buildalot
2009-03-04 21:14 --------- d-----w c:\program files\LimeWire
2009-03-04 02:11 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-28 19:04 --------- d-----w c:\program files\Common Files\Skype
2009-02-28 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-28 19:04 --------- d-----r c:\program files\Skype
2009-02-17 19:14 --------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-02-17 19:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-16 18:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 15:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 00:30 --------- d-----w c:\documents and settings\User\Application Data\AVGTOOLBAR
2009-02-16 00:04 --------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-02-16 00:03 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-15 21:17 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-15 21:17 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-15 21:16 --------- d-----w c:\program files\AVG
2009-02-15 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-15 20:55 --------- d-----w c:\program files\Yahoo!
2009-02-15 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 16:57 --------- d-----w c:\documents and settings\User\Application Data\TheScruffs
2009-02-04 05:53 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-02-03 22:05 --------- d-----w c:\program files\Jewel Quest 2
2009-02-03 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\Amazon
2009-02-03 02:03 --------- d-----w c:\documents and settings\User\Application Data\Kodak
2009-02-03 01:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_13.01.51.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-28 01:08:30 102,400 ----a-r c:\windows\Installer\{C26B06A9-27BB-45B0-9873-9C623EC2BA38}\iTunesIco.exe
- 2008-04-17 20:12:54 15,464 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2009-01-15 16:19:36 23,848 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
- 2001-11-05 16:23:14 6,097 ----a-w c:\windows\system32\drivers\sonyhcb.sys
+ 2001-11-05 13:23:14 6,097 ----a-w c:\windows\system32\drivers\sonyhcb.sys
- 2001-11-05 16:23:20 38,739 ----a-w c:\windows\system32\drivers\sonyhcc.sys
+ 2001-11-05 13:23:20 38,739 ----a-w c:\windows\system32\drivers\sonyhcc.sys
- 2001-11-05 16:23:52 299,923 ----a-w c:\windows\system32\drivers\sonyhcs.sys
+ 2001-11-05 13:23:52 299,923 ----a-w c:\windows\system32\drivers\sonyhcs.sys
- 2002-10-16 05:41:06 102,220 ----a-w c:\windows\system32\drivers\sonypvs1.sys
+ 2002-10-16 02:41:06 102,220 ----a-w c:\windows\system32\drivers\sonypvs1.sys
+ 2008-04-17 16:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspi.dll
+ 2009-01-15 16:19:36 23,848 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspiWDM.sys
+ 2009-03-06 03:59:00 36,864 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaapl.sys
+ 2009-03-06 03:59:00 1,900,544 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaaplrc.dll
- 2008-04-17 20:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll
+ 2008-04-17 16:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll
- 2001-07-04 03:33:00 53,248 ----a-w c:\windows\system32\SONYHCY.DLL
+ 2001-07-04 00:33:00 53,248 ----a-w c:\windows\system32\SONYHCY.DLL
- 2009-03-24 16:54:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2009-04-02 19:18:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_728.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2004-08-06 2502656]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"cdloader"="c:\documents and settings\User\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2007-04-20 181896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-15 1601304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-15 17:17 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\User\\Application Data\\mjusbsp\\magicJack.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-15 298264]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-17 266240]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2007-04-20 632456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-05 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1910237b-928d-11dd-b62c-001321f4fb2a}]
\Shell\AutoRun\command - G:\PMB_Portable.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-03-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt _RegistrationOffer@16 []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aol.com\free
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\o3070gvw.default\
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 15:23:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\documents and settings\User\Application Data\mjusbsp\st00000\mjsetup.exe
c:\documents and settings\User\Application Data\mjusbsp\magicJack.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\PayPal\PayPal Plug-In\RBroker.exe
.
**************************************************************************
.
Completion time: 2009-04-02 15:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 19:26:43
ComboFix2.txt 2009-03-24 17:02:37

Pre-Run: 58,695,147,520 bytes free
Post-Run: 58,724,835,328 bytes free

236 --- E O F --- 2009-03-15 15:52:39

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:25 AM

Posted 02 April 2009 - 05:14 PM

Hi shally429,

Please post a Hijackthis log (not the DSS log) and tell me how the computer is running.

Edited by SifuMike, 02 April 2009 - 05:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:25 AM

Posted 11 April 2009 - 04:13 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users