Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing a few things *logs inside*


  • This topic is locked This topic is locked
4 replies to this topic

#1 JustinR

JustinR

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 28 March 2009 - 07:59 AM

Hello
I have few problems in my machine and they have come at a pretty bad time.I have run several scans and below are my logs for each.

Windows XP Professional
SP2



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:23 AM, on 3/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Main\Desktop\New Folder (11)\RootAlyzer.exe
C:\Documents and Settings\Main\Desktop\New Folder (10)\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Main\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-130] C:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [el] "C:\WINDOWS\system32\regsvr32.exe" /u /s "C:\WINDOWS\system32\el32.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Main\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Main\reader_s.exe (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WebCapture.dll2.htm
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WebCapture.dll1.htm
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WebCapture.dll.htm
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237125074609
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9441 bytes






ComboFix 09-03-27.02 - Main 2009-03-28 8:19:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2698 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Main\reader_s.exe
c:\windows\system32\7.tmp
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\B.tmp
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\ejgvjbp.dll
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\reader_s.exe
c:\windows\Tasks\At1.job

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IXWAROYH
-------\Service_ixwaroyh
-------\Service_PCIDump


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 08:09 . 2009-03-28 08:09 162,304 --a------ c:\windows\system32\18.tmp
2009-03-28 08:09 . 2009-03-28 08:09 29,696 --a------ c:\windows\system32\1A.tmp
2009-03-28 08:09 . 2009-03-28 08:09 128 --a------ c:\windows\system32\16.tmp
2009-03-28 07:57 . 2009-03-28 07:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-28 07:57 . 2009-03-28 08:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-28 07:52 . 2009-03-28 07:52 162,304 --a------ c:\windows\system32\15.tmp
2009-03-28 07:52 . 2009-03-28 07:52 31,744 --a------ c:\windows\system32\17.tmp
2009-03-28 07:52 . 2009-03-28 07:52 128 --a------ c:\windows\system32\12.tmp
2009-03-28 00:04 . 2009-03-28 00:04 162,304 --a------ c:\windows\system32\C.tmp
2009-03-28 00:04 . 2009-03-28 00:04 28,672 --a------ c:\windows\system32\14.tmp
2009-03-27 21:08 . 2009-03-27 21:08 162,304 --a------ c:\windows\system32\11.tmp
2009-03-27 21:08 . 2009-03-27 22:08 24,465 --a------ c:\windows\system32\13.tmp
2009-03-27 21:08 . 2009-03-27 21:08 128 --a------ c:\windows\system32\F.tmp
2009-03-27 21:01 . 2009-03-27 21:04 162,304 --a------ c:\windows\system32\3.tmp
2009-03-27 21:01 . 2009-03-27 21:01 128 --a------ c:\windows\system32\2.tmp
2009-03-27 19:20 . 2009-03-27 19:20 162,304 --a------ c:\windows\system32\8.tmp
2009-03-27 19:20 . 2009-03-27 19:20 128 --a------ c:\windows\system32\6.tmp
2009-03-27 18:40 . 2009-03-27 18:40 162,304 --a------ c:\windows\system32\5.tmp
2009-03-27 18:40 . 2009-03-27 18:40 128 --a------ c:\windows\system32\4.tmp
2009-03-27 18:27 . 2009-03-27 18:27 162,304 --a------ c:\windows\system32\E.tmp
2009-03-27 18:27 . 2009-03-27 18:27 28,672 --a------ c:\windows\system32\10.tmp
2009-03-27 18:27 . 2009-03-27 18:27 128 --a------ c:\windows\system32\D.tmp
2009-03-27 18:12 . 2009-03-27 18:12 577,024 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-27 18:09 . 2009-03-27 18:09 <DIR> d-------- c:\windows\ERUNT
2009-03-27 18:05 . 2009-03-27 18:25 <DIR> d-------- C:\SDFix
2009-03-27 13:30 . 2009-03-27 13:30 0 --a------ C:\D.tmp
2009-03-27 13:27 . 2009-03-27 13:27 0 --a------ C:\C.tmp
2009-03-27 13:25 . 2009-03-28 08:22 0 --a------ c:\windows\lk00000000.tmp
2009-03-27 13:24 . 2009-03-27 13:24 0 --a------ C:\B.tmp
2009-03-27 12:45 . 2009-03-27 12:45 182,912 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-27 12:42 . 2009-03-27 16:14 36,864 --a------ c:\windows\system32\dpcxool64.sys
2009-03-27 12:41 . 2009-03-27 12:41 11,294 --a------ c:\windows\system32\BE0.tmp
2009-03-27 12:41 . 2009-03-27 12:41 124 --a------ c:\windows\system32\BDF.tmp
2009-03-27 12:40 . 2009-03-27 12:40 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-03-27 12:40 . 2009-03-27 12:40 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-03-27 12:39 . 2009-03-27 12:39 <DIR> d-------- c:\program files\Microsoft Xbox 360 Accessories
2009-03-27 12:39 . 2007-02-26 18:15 1,421,216 --a------ c:\windows\system32\WdfCoInstaller01001.dll
2009-03-27 12:39 . 2007-02-26 18:15 61,984 --a------ c:\windows\system32\drivers\xusb21.sys
2009-03-26 21:58 . 2009-03-26 21:58 <DIR> d-------- c:\program files\Common Files\NSV
2009-03-24 21:32 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-24 21:31 . 2009-03-24 21:31 <DIR> d-------- c:\program files\MSBuild
2009-03-24 21:31 . 2009-03-24 21:31 <DIR> d-------- c:\program files\Microsoft Works
2009-03-24 21:30 . 2009-03-24 21:30 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-24 21:29 . 2009-03-24 21:29 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-24 21:28 . 2009-03-24 21:30 <DIR> d-------- c:\windows\SHELLNEW
2009-03-24 21:28 . 2009-03-24 21:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-24 21:27 . 2009-03-24 21:27 <DIR> dr-h----- C:\MSOCache
2009-03-24 21:25 . 2009-03-24 21:25 <DIR> d-------- c:\program files\MagicISO
2009-03-23 18:17 . 2008-10-30 10:59 6,525,736 --a------ c:\windows\system32\WacomTablet.cpl
2009-03-23 18:17 . 2008-10-30 11:13 2,749,224 --a------ c:\windows\system32\Wacom_Tablet.exe
2009-03-23 18:17 . 2008-09-30 13:38 1,651,788 --a------ c:\windows\system32\WacomTablet.znc
2009-03-23 18:17 . 2008-10-30 11:00 182,056 --a------ c:\windows\system32\Wacom_Tablet.dll
2009-03-22 21:04 . 2009-03-22 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\licensecb
2009-03-22 21:04 . 2009-03-22 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrazyBump
2009-03-22 21:02 . 2009-03-22 21:03 <DIR> d--h----- c:\windows\msdownld.tmp
2009-03-22 21:02 . 2009-03-22 21:02 <DIR> d-------- c:\windows\Logs
2009-03-22 21:01 . 2009-03-22 21:01 <DIR> d-------- c:\program files\Crazybump
2009-03-22 19:07 . 2009-03-22 19:07 4 --a------ c:\windows\system32\ulfconfig0103.ulf
2009-03-22 19:06 . 2009-03-28 07:59 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-22 19:06 . 2009-03-22 19:06 <DIR> d-------- c:\program files\Pixologic
2009-03-22 18:32 . 2009-03-22 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2009-03-22 18:28 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-03-22 18:22 . 2009-03-22 18:22 <DIR> d-------- C:\3dsmax9Trial
2009-03-21 13:44 . 2009-03-21 13:44 <DIR> d-------- c:\windows\Sun
2009-03-21 13:40 . 2009-03-28 08:08 <DIR> d-------- c:\documents and settings\LocalService\Application Data\WTablet
2009-03-21 01:40 . 2009-03-21 01:40 <DIR> d-------- c:\program files\uTorrent
2009-03-21 01:40 . 2009-03-25 19:47 <DIR> d-------- c:\documents and settings\Main\Application Data\uTorrent
2009-03-21 00:26 . 2009-03-28 08:22 <DIR> d-------- c:\documents and settings\Main\Application Data\WTablet
2009-03-21 00:26 . 2008-12-11 09:57 4,222,760 --a------ c:\windows\system32\PenTablet.cpl
2009-03-21 00:26 . 2008-11-11 10:45 1,421,964 --a------ c:\windows\system32\PenTablet.znc
2009-03-21 00:26 . 2004-08-04 02:56 21,504 --a------ c:\windows\system32\hidserv.dll
2009-03-21 00:26 . 2004-08-04 02:56 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-03-21 00:25 . 2009-03-23 18:17 <DIR> d-------- c:\windows\system32\WTablet
2009-03-21 00:25 . 2009-03-23 18:17 <DIR> d-------- c:\program files\Tablet
2009-03-21 00:25 . 2008-12-11 10:11 2,749,736 --a------ c:\windows\system32\Pen_Tablet.exe
2009-03-21 00:25 . 2008-12-11 09:59 186,152 --a------ c:\windows\system32\Pen_Tablet.dll
2009-03-21 00:25 . 2008-12-11 09:50 172,840 --a------ c:\windows\system32\Wintab32.dll
2009-03-21 00:25 . 2008-10-06 10:53 15,656 --a------ c:\windows\system32\drivers\wacmoumonitor.sys
2009-03-21 00:25 . 2004-08-04 00:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-03-21 00:25 . 2004-08-04 00:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-03-21 00:25 . 2008-07-11 11:16 13,352 --a------ c:\windows\system32\drivers\wacomvhid.sys
2009-03-21 00:25 . 2007-02-15 16:11 11,440 --a------ c:\windows\system32\drivers\WacomVKHid.sys
2009-03-21 00:25 . 2007-02-16 11:12 11,312 --a------ c:\windows\system32\drivers\wacommousefilter.sys
2009-03-20 15:59 . 2009-03-20 16:38 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-20 00:43 . 2009-03-27 20:51 <DIR> d-------- c:\documents and settings\Main\Application Data\LimeWire
2009-03-20 00:42 . 2009-03-20 00:42 <DIR> d-------- c:\program files\Java
2009-03-20 00:42 . 2009-03-20 00:42 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-20 00:42 . 2009-03-20 00:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-20 00:40 . 2009-03-20 00:42 <DIR> d-------- c:\program files\LimeWire
2009-03-17 05:38 . 2009-03-17 05:38 <DIR> d-------- c:\windows\system32\drivers\Samsung
2009-03-17 05:38 . 2008-01-05 00:54 172,032 --a------ c:\windows\system32\sse1mci.exe
2009-03-17 05:38 . 2008-01-05 00:54 65,536 --a------ c:\windows\system32\sse1mci.dll
2009-03-17 05:38 . 2008-02-06 01:53 22,723 --a------ c:\windows\system32\sse1ml3.dll
2009-03-17 05:38 . 2008-02-05 23:54 556 --a------ c:\windows\system32\sse1ml3.smt
2009-03-16 23:54 . 2004-08-04 00:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-16 23:54 . 2004-08-04 00:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-16 23:53 . 2009-03-16 23:53 <DIR> d-------- c:\program files\Samsung
2009-03-16 23:53 . 2008-01-03 22:50 131,072 --a------ c:\windows\WiaInst.exe
2009-03-16 23:22 . 2009-03-16 23:22 <DIR> d-------- c:\program files\SmarThru 4
2009-03-16 23:22 . 2009-03-16 23:22 <DIR> d-------- c:\program files\Readiris10
2009-03-16 23:22 . 2009-03-16 23:22 <DIR> d-------- c:\program files\Common Files\SRC Shared
2009-03-16 23:22 . 2009-03-16 23:22 <DIR> d-------- c:\documents and settings\Main\Application Data\SmarThru4
2009-03-16 23:21 . 2009-03-17 05:37 <DIR> d-------- c:\temp\SCX-4300
2009-03-16 23:21 . 2009-03-16 23:21 <DIR> d-------- C:\Temp
2009-03-16 22:33 . 2004-08-04 01:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-16 22:33 . 2004-08-04 01:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-03-16 22:32 . 2004-08-04 01:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-16 22:32 . 2004-08-04 01:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-16 12:37 . 2009-03-16 12:37 <DIR> d-------- c:\program files\iTunes
2009-03-16 12:37 . 2009-03-16 12:37 <DIR> d-------- c:\program files\iPod
2009-03-16 12:37 . 2009-03-16 12:51 <DIR> d-------- c:\documents and settings\Main\Application Data\Apple Computer
2009-03-16 12:37 . 2009-03-16 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 12:37 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-16 12:37 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 12:36 . 2009-03-16 12:36 <DIR> d-------- c:\program files\Apple Software Update
2009-03-16 12:36 . 2009-03-21 22:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-16 12:35 . 2009-03-16 12:35 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-16 12:35 . 2009-03-16 12:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-16 00:01 . 2009-03-16 00:01 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-15 18:24 . 2009-03-15 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-15 18:14 . 2009-03-16 12:36 <DIR> d-------- c:\program files\QuickTime
2009-03-15 17:43 . 2007-02-20 16:04 2,463,976 --a------ c:\windows\system32\NPSWF32.dll
2009-03-15 17:43 . 2007-02-20 16:04 190,696 --a------ c:\windows\system32\NPSWF32_FlashUtil.exe
2009-03-15 17:36 . 2009-03-16 12:37 <DIR> d-------- c:\program files\Bonjour
2009-03-15 17:32 . 2009-03-15 17:32 <DIR> d-------- c:\program files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 13:08 98,304 ----a-w c:\windows\DUMP8b57.tmp
2009-03-27 17:45 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-17 04:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 17:53 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-15 14:53 47,616 ----a-w c:\windows\system32\drivers\Haspnt.sys
2009-03-15 14:50 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-15 14:11 --------- d-----w c:\program files\WinTV
2009-03-15 07:53 --------- d-----w c:\program files\ANI
2009-03-15 07:52 --------- d-----w c:\program files\D-Link
2009-03-15 07:51 335,872 ----a-w c:\windows\HideWin.exe
2009-03-15 07:51 --------- d-----w c:\program files\Realtek
2009-03-15 07:50 --------- d-----w c:\documents and settings\Main\Application Data\InstallShield
2009-03-15 07:43 --------- d-----w c:\documents and settings\Main\Application Data\Redemption
2009-03-15 07:37 --------- d-----w c:\program files\microsoft frontpage
2009-03-15 06:22 --------- d-----w c:\program files\AoA Audio Extractor
2009-03-15 06:22 --------- d-----w c:\documents and settings\Main\Application Data\vlc
2009-03-15 06:20 --------- d-----w c:\program files\VideoLAN
2009-03-15 06:16 --------- d-----w c:\documents and settings\Main\Application Data\Winamp
2009-03-15 06:15 --------- d-----w c:\program files\Audacity
2009-03-15 05:55 --------- d-----w c:\program files\Lame for Audacity
2009-03-15 04:51 --------- d-----w c:\program files\ffdshow
2009-03-15 04:33 --------- d-----w c:\program files\Common Files\IviSDK
2009-03-15 04:05 --------- d-----w c:\program files\Winamp
2009-03-15 03:56 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-05 11:20 38,400 ----a-w c:\windows\system32\drivers\DgivEcp.sys
.

------- Sigcheck -------

2002-08-29 07:00 167552 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
2009-03-27 12:45 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-03-27 12:45 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2004-08-04 02:56 1049600 e35335c7aacd52027d8078b8f3660552 c:\windows\explorer.exe
2002-08-29 07:00 1020928 99ebcaba33fa023e33c58a7856840633 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:56 1049088 725eb9f5c937d0f9dc40fa41107f300b c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-13 19:12 1050624 4f73d388f32ba209d7e9de65c6f8a753 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe

2002-08-29 07:00 30208 97abfc0fc0c2681bdad9e6a212adcf6d c:\windows\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 02:56 32256 d89110c0d970cc45309bfd4ae6cd7947 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32256 1d1a315d5bbe6e1a3bba7f374a77db92 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
2004-08-04 02:56 32256 8a4e1e56f8e4a4d604f583d2c4241c9b c:\windows\system32\ctfmon.exe

2002-08-29 07:00 38912 4a55ff7cc2a07f30ecb676e4fc6da63d c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 02:56 41472 81ce47424cfe99c3eb9e0679ebe08fe6 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43520 aa2adac329cf008415f5796e37150b54 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
2004-08-04 02:56 41472 8afc275041e083de11ba76f946a441fc c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 69632]
"D-Link D-Link Wireless N DWA-130"="c:\program files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe" [2008-03-20 1695744]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 55296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"el"="c:\windows\system32\el32.dll" [2008-03-03 78336]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 175104]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2009-03-15 127031]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-01-15 11:19 86016 c:\windows\system32\nvmctray.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Crazybump\\cb.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-03-15 13696]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-03-21 2749736]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-23 2749224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-03-15 45132]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-03-15 560896]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-03-21 15656]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2009-03-14 1464672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5d3c8ff-1134-11de-897d-d76e00b1392a}]
\Shell\AutoRun\command - H:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-28 c:\windows\Tasks\el.job
- c:\windows\system32\regsvr32.exe [2004-08-04 02:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9E4759A9-1E84-48B3-9D60-C58208E9AE01} - c:\windows\system32\ejgvjbp.dll
HKCU-Run-reader_s - c:\documents and settings\Main\reader_s.exe
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKU-Default-Run-reader_s - c:\windows\system32\config\systemprofile\reader_s.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\86xvmlds.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 08:23:01
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

c:\windows\explorer.exe [1408] 0x89CFB958

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\7.tmp 128 bytes
c:\windows\system32\9.tmp 28573 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\services.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-03-28 8:26:20 - machine was rebooted [Main]
ComboFix-quarantined-files.txt 2009-03-28 13:26:16

Pre-Run: 265,796,694,016 bytes free
Post-Run: 265,763,000,320 bytes free

330







SDFix: Version 1.240
Run by Main on Fri 03/27/2009 at 06:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
protect

Path :
System32\drivers\protect.sys

protect - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\w.exe - Deleted
C:\WINDOWS\system32\4.tmp - Deleted
C:\WINDOWS\system32\5.tmp - Deleted
C:\WINDOWS\system32\6.tmp - Deleted
C:\WINDOWS\system32\8.tmp - Deleted
C:\WINDOWS\system32\A.tmp - Deleted
C:\WINDOWS\system32\B.tmp - Deleted
C:\WINDOWS\system32\D.tmp - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\services.exe - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\system32\ndetect.exe - Deleted
C:\WINDOWS\system32\drivers\protect.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 18:24:02
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

wuauclt.exe [1752]

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:8b,e0,53,78,90,14,42,3b,a8,f7,a5,e9,07,ca,34,35,e1,89,12,43,60,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,75,f0,15,7b,e2,36,00,9b,75,dc,9e,c3,53,ba,c5,52,0b,..
"khjeh"=hex:28,51,6c,aa,c0,ca,c9,35,0f,3c,bf,27,7f,48,28,d3,3b,a7,7c,67,ac,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,7f,53,84,b9,38,e6,21,06,0d,09,61,75,3b,5d,04,7a,a6,f4,ad,66,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:8b,e0,53,78,90,14,42,3b,a8,f7,a5,e9,07,ca,34,35,e1,89,12,43,60,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,75,f0,15,7b,e2,36,00,9b,75,dc,9e,c3,53,ba,c5,52,0b,..
"khjeh"=hex:28,51,6c,aa,c0,ca,c9,35,0f,3c,bf,27,7f,48,28,d3,3b,a7,7c,67,ac,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,7f,53,84,b9,38,e6,21,06,0d,09,61,75,3b,5d,04,7a,a6,f4,ad,66,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"="C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe:*:Enabled:Maya"
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe"="C:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe:*:Enabled:Adobe Flash CS3"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Crazybump\\cb.exe"="C:\\Program Files\\Crazybump\\cb.exe:*:Enabled:crazybump"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 5 Aug 2001 724 ..SH. --- "C:\Program Files\Pixologic\ZBrush3\zmem02svr.dll"

Finished!





-----------------------------------------------------------------------------------------------


a-squared Web Malware Scanner v. 4.0

Scan settings:

Objects: Memory, Traces, Cookies
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 3/28/2009 8:53:18 AM

c:\windows\services.exe detected: Trace.File.Backdoor.Prorat.RC!A2
Key: HKEY_CURRENT_USER\software\kazaa detected: Trace.Registry.KaZaA!A2
C:\Documents and Settings\Main\Cookies\main@advertising[1].txt detected: Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Main\Cookies\main@atdmt[1].txt detected: Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Main\Cookies\main@bs.serving-sys[1].txt detected: Trace.TrackingCookie.bs.serving-sys!A2
C:\Documents and Settings\Main\Cookies\main@serving-sys[2].txt detected: Trace.TrackingCookie.serving-sys!A2
C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\86xvmlds.default\cookies.sqlite:1238248201609377 detected: Trace.TrackingCookie.zedo!A2

Scanned

Files: 2638
Traces: 326490
Cookies: 1226
Processes: 60

Found

Files: 0
Traces: 2
Cookies: 5
Processes: 0

Scan end: 3/28/2009 8:54:58 AM
Scan time: 12:01:40 AM








These items constantly come up in spybot and never remove

Posted Image


I have also ran Windows securtiy online virus scanner
Any help would be greatly appreciated

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:06 PM

Posted 28 March 2009 - 12:18 PM

Hello JustinR,

Not good. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 JustinR

JustinR
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 28 March 2009 - 06:26 PM

well that sucks thanks for your help i appreciate it looks like i gotta refomat

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:06 PM

Posted 28 March 2009 - 06:30 PM

Yes, I'm sorry. :thumbup2: There really is no other way. :) If there was, believe me, I'd do it.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:06 PM

Posted 04 April 2009 - 06:21 AM

this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users