Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can anyone confirm removal of nasty wdmaud.sys virus?


  • Please log in to reply
6 replies to this topic

#1 Lincoln Adams

Lincoln Adams

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 04 April 2009 - 02:10 PM

I had to deal with a very nasty malware that hijacked my browser searches, crippled my AV, crashed Firefox, crippled access to regedit and stole my FTP passwords resulting in my website being hacked and injected with malicious PHP code similar to the fake Yahoo Counter exploit.

I managed to clean the system by renaming Regedit and running it from the desktop to remove the wdmaud.sys once I learned about it, then using ComboFix and finally Malwarebytes' Anti-Malware and Avast to sweep the system to make sure nothing was left. Just to make sure I'd like someone with more expertise to take a look at my logs and see if there's any potential issues that might remain.

Here's the DDS log (the Attach.txt file has been attached). I also have the ComboFix log if anyone would like to look at this as well:


DDS (Ver_09-03-16.01) - NTFSx86
Run by John Smith at 14:40:15.83 on Sat 04/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.173 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090403-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Outlock\Outlock.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\twhirl\twhirl.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\YPOPs\ypops.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Documents and Settings\John Smith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Touchstone: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\system32\Browseui.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &ATI TV: {44226dff-747e-4edc-b30c-78752e50cd0c} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AtiTrayTools] "c:\program files\ray adams\ati tray tools\atitray.exe"
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [FastUser] c:\windows\system32\fast.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\johns~1\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\johns~1\startm~1\programs\startup\script~1.lnk - c:\program files\scripture reminder\sr20.exe
StartupFolder: c:\docume~1\johns~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\johns~1\startm~1\programs\startup\ypops.lnk - c:\program files\ypops\ypops.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\airmou~1.lnk - c:\program files\air mouse\air mouse\Air Mouse.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outlock.lnk - c:\program files\outlock\Outlock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\twhirl.lnk - c:\program files\twhirl\twhirl.exe
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoInstrumentation = 0 (0x0)
IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: Subscribe to NewzCrawler - file://c:\program files\newzcrawler\context.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2253F320-AB68-4A07-917D-4F12D8884A06}
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092974381661
DPF: {8036B0D5-7572-443C-ACA0-620FBCC3F718} - hxxp://www.cuteupload.com/uploadtest/CuteUpload-Free.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.3419212963
DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} - hxxps://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - hxxp://www.ksolo.com/playerBase/kSoloIEHDSD.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johns~1\applic~1\mozilla\firefox\profiles\default.srg\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2005-5-13 14531]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-2 114768]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2006-9-17 13952]
R1 ntaspi32;ntaspi32;c:\windows\system32\drivers\NTASPI32.SYS [2002-3-28 23304]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-5-14 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-2 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-2 352920]
R3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [2002-3-26 223232]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2002-3-23 32840]
S2 gupdate1c8ef52e18830e0;Google Update Service (gupdate1c8ef52e18830e0);c:\program files\google\update\GoogleUpdate.exe [2008-7-26 133104]
S2 SvcHermes;Hermes EMail Server;c:\program files\alixoft\hermes\hermessvc.exe --> c:\program files\alixoft\hermes\HermesSvc.exe [?]
S3 jnv4_mib;jnv4_mib;\??\c:\docume~1\johns~1\locals~1\temp\jnv4_mib.sys --> c:\docume~1\johns~1\locals~1\temp\jnv4_mib.sys [?]
S3 ovudfu01;ovudfu01;c:\windows\system32\drivers\atirwrf.sys --> c:\windows\system32\drivers\ATIRWRF.SYS [?]
S3 USTOR;U-Storage Controller;c:\windows\system32\drivers\UStork.sys [2004-8-6 20218]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;\??\c:\windows\system32\zdbrgsys.sys --> c:\windows\system32\ZDBRGSYS.SYS [?]

=============== Created Last 30 ================

2009-04-03 19:15 <DIR> --d----- c:\program files\twhirl
2009-04-03 16:09 <DIR> --d----- c:\program files\Air Mouse
2009-04-03 03:12 4,958,588 a------- c:\windows\{00000000-00000000-0000000C-00001102-00000004-20021102}.BAK
2009-04-02 16:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 16:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 16:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 15:41 <DIR> a-dshr-- C:\cmdcons
2009-04-02 15:40 161,792 a------- c:\windows\SWREG.exe
2009-04-02 15:40 98,816 a------- c:\windows\sed.exe
2009-04-02 12:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-02 12:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-02 12:56 <DIR> --d----- c:\docume~1\johns~1\applic~1\SUPERAntiSpyware.com
2009-04-02 11:05 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-02 10:17 <DIR> --d----- c:\docume~1\johns~1\applic~1\Malwarebytes
2009-04-02 10:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-21 15:23 <DIR> --d----- c:\docume~1\johns~1\applic~1\BOXEE
2009-03-21 15:22 <DIR> --d----- c:\program files\Boxee
2009-03-16 10:51 <DIR> --d----- c:\program files\iPod
2009-03-16 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 10:50 <DIR> --d----- c:\program files\iTunes
2009-03-16 10:44 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-14 15:37 <DIR> --d----- c:\program files\AviSynth 2.5
2009-03-14 15:37 <DIR> --d----- c:\program files\Red Kawa
2009-03-13 00:37 <DIR> --d----- c:\program files\123 Video Converter
2009-03-12 10:57 <DIR> --d----- c:\program files\iPodRobot
2009-03-10 22:05 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-03-10 22:00 <DIR> --d--r-- c:\program files\Skype
2009-03-09 15:50 36,864 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-04-04 14:37 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-17 21:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-16 00:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2006-10-13 16:18 557,056 a------- c:\documents and settings\John Smith\chatlnk.exe
2007-02-21 01:32 80 ---shr-- c:\windows\system32\1DC052F4B4.dll
2008-08-30 22:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 14:41:29.65 ===============


Thanks for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:02 AM

Posted 04 April 2009 - 06:42 PM

Hello Lincoln Adams,

Posted Image

Yes, I would like to see the ComboFix report, please. :thumbup2:

We can check to be sure everything bad is gone from drivers32 :

Highlight and copy the contents inside the code box below:

cd desktop
reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >look2.txt
start notepad look2.txt
exit
cls

Click Start > Run, and, in the Open area, type: cmd
Press: Enter to open a command window.
Right-click by the blinking cursor in the command window and select: Paste
The command window will close and a log will open on your Desktop.

Paste the look.txt back here.[/quote]

You need to clean up all that old Java. It leaves your computer vulnerable. Also, seeing how many old versions you have, you'll get back nearly a gig of space by getting rid of them. :)

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_13.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Lincoln Adams

Lincoln Adams
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 04 April 2009 - 07:50 PM

Thanks teacup!

Ok, here is the ComboFix log, followed by the look2 log you also requested:


ComboFix 09-04-01.01 - John Smith 2009-04-02 15:46:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.637 [GMT -4:00]
Running from: c:\documents and settings\John Smith\Desktop\Combo-Fix.exe
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dzgtactx.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\mdm.exe
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 12:56 . 2009-04-02 12:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-02 12:56 . 2009-04-02 12:56 <DIR> d-------- c:\documents and settings\John Smith\Application Data\SUPERAntiSpyware.com
2009-04-02 12:56 . 2009-04-02 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 11:05 . 2009-04-02 11:05 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-04-02 10:17 . 2009-04-02 10:17 <DIR> d-------- c:\documents and settings\John Smith\Application Data\Malwarebytes
2009-04-02 10:17 . 2009-04-02 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 01:09 . 2009-04-02 15:53 4,958,588 --a------ c:\windows\{00000000-00000000-0000000C-00001102-00000004-20021102}.BAK
2009-04-02 01:08 . 2009-04-02 01:08 <DIR> d-------- c:\program files\Alwil Software
2009-03-21 15:23 . 2009-03-21 15:23 <DIR> d-------- c:\documents and settings\John Smith\Application Data\BOXEE
2009-03-21 15:22 . 2009-03-21 15:23 <DIR> d-------- c:\program files\Boxee
2009-03-20 21:12 . 2009-03-20 21:12 <DIR> d-------- c:\program files\Air Mouse
2009-03-16 10:51 . 2009-03-16 10:51 <DIR> d-------- c:\program files\iPod
2009-03-16 10:50 . 2009-03-16 10:52 <DIR> d-------- c:\program files\iTunes
2009-03-16 10:50 . 2009-03-16 10:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 10:44 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-14 15:37 . 2009-03-14 15:37 <DIR> d-------- c:\program files\Red Kawa
2009-03-14 15:37 . 2009-03-14 20:19 <DIR> d-------- c:\program files\AviSynth 2.5
2009-03-13 00:41 . 2009-03-13 00:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-03-13 00:37 . 2009-03-14 20:20 <DIR> d-------- c:\program files\123 Video Converter
2009-03-12 10:57 . 2009-03-14 20:20 <DIR> d-------- c:\program files\iPodRobot
2009-03-10 22:05 . 2009-04-02 13:31 <DIR> d-------- c:\documents and settings\John Smith\Application Data\skypePM
2009-03-10 22:05 . 2009-03-10 22:05 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-10 22:01 . 2009-04-02 15:54 <DIR> d-------- c:\documents and settings\John Smith\Application Data\Skype
2009-03-10 22:00 . 2009-03-10 22:00 <DIR> dr------- c:\program files\Skype
2009-03-10 22:00 . 2009-03-10 22:00 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-10 21:59 . 2009-03-10 22:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-09 15:51 . 2009-03-09 15:52 <DIR> d-------- c:\program files\QuickTime
2009-03-09 15:50 . 2009-03-16 10:51 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-09 15:50 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 19:55 --------- d-----w c:\documents and settings\John Smith\Application Data\tor
2009-04-02 19:51 --------- d-----w c:\program files\YPOPs
2009-04-02 19:51 --------- d-----w c:\documents and settings\John Smith\Application Data\Vidalia
2009-04-02 19:38 --------- d-----w c:\program files\Eraser
2009-04-02 19:30 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-02 16:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-02 04:55 --------- d-----w c:\program files\WS-FTP Pro
2009-04-02 01:53 1,882,543 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-02 01:46 4,235,264 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-04-01 04:28 --------- d-----w c:\documents and settings\John Smith\Application Data\ATI MMC
2009-04-01 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC
2009-04-01 01:56 4,214,272 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-04-01 01:30 --------- d-----w c:\program files\Digsby
2009-03-29 02:59 --------- d-----w c:\program files\Last.fm
2009-03-23 20:44 --------- d-----w c:\program files\CARCare
2009-03-16 14:40 --------- d-----w c:\program files\Bonjour
2009-03-15 00:28 --------- d-----w c:\program files\G-Lock Software
2009-03-12 15:08 --------- d-----w c:\documents and settings\John Smith\Application Data\Apple Computer
2009-03-09 19:51 --------- d-----w c:\program files\Apple Software Update
2009-03-07 18:58 --------- d-----w c:\program files\bible
2009-03-03 01:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-12 19:00 --------- d-----w c:\program files\MyStrands
2009-02-11 04:37 --------- d-----w c:\program files\twhirl
2009-02-08 04:05 --------- d-----w c:\documents and settings\John Smith\Application Data\Move Networks
2009-02-06 02:28 --------- d-----w c:\program files\Google
2006-10-13 20:18 557,056 ----a-w c:\documents and settings\John Smith\chatlnk.exe
2007-02-21 05:32 80 --sh--r c:\windows\system32\1DC052F4B4.dll
2008-08-31 02:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-03-18 53248]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-08-02 11771392]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]
"Eraser"="c:\program files\Eraser\eraser.exe" [2006-12-25 643072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2006-09-19 514048]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-03-18 45132]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 344064]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"FastUser"="c:\windows\System32\fast.exe" [2001-10-08 49216]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2001-10-08 45632]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-07-09 36352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-17 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"WINDVDPatch"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

c:\documents and settings\John Smith\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2008-09-08 137728]
Scripture Reminder.lnk - c:\program files\Scripture Reminder\sr20.exe [2002-03-28 308553]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]
YPOPs.lnk - c:\program files\YPOPs\ypops.exe [2007-07-18 1331200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-02-16 269824]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-11-03 221247]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Outlock.lnk - c:\program files\Outlock\Outlock.exe [2000-09-04 416768]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
twhirl.lnk - c:\program files\twhirl\twhirl.exe [2009-02-11 95232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= dvacm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.UYVY"= c:\windows\system32\msyuv.dll
"VIDC.YUY2"= ATIVYUY.DLL
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2005-05-13 14531]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2006-09-17 13952]
R1 ntaspi32;ntaspi32;c:\windows\system32\drivers\NTASPI32.SYS [2002-03-28 23304]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [2002-03-26 223232]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2002-03-23 32840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 gupdate1c8ef52e18830e0;Google Update Service (gupdate1c8ef52e18830e0);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-26 133104]
S2 SvcHermes;Hermes EMail Server;c:\program files\Alixoft\Hermes\HermesSvc.exe --> c:\program files\Alixoft\Hermes\HermesSvc.exe [?]
S3 jnv4_mib;jnv4_mib;\??\c:\docume~1\FRANKP~1\LOCALS~1\Temp\jnv4_mib.sys --> c:\docume~1\FRANKP~1\LOCALS~1\Temp\jnv4_mib.sys [?]
S3 ovudfu01;ovudfu01;c:\windows\system32\Drivers\ATIRWRF.SYS --> c:\windows\system32\Drivers\ATIRWRF.SYS [?]
S3 USTOR;U-Storage Controller;c:\windows\system32\drivers\UStork.sys [2004-08-06 20218]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;\??\c:\windows\system32\ZDBRGSYS.SYS --> c:\windows\system32\ZDBRGSYS.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-02 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-01 22:49]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)
HKCU-Run-WebCamRT.exe - (no file)
HKLM-Run-UStorag - c:\program files\u-storage tool\ustorage.exe
HKLM-Run-POINTER - point32.exe
Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: Subscribe to NewzCrawler - file://c:\program files\NewzCrawler\context.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8036B0D5-7572-443C-ACA0-620FBCC3F718} - hxxp://www.cuteupload.com/uploadtest/CuteUpload-Free.cab
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - hxxp://www.ksolo.com/playerBase/kSoloIEHDSD.cab
FF - ProfilePath - c:\documents and settings\John Smith\Application Data\Mozilla\Firefox\Profiles\default.srg\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 15:53:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-854245398-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1993962763-854245398-1343024091-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:07,86,00,a0,47,bf,b7,e6,93,34,21,7c,5f,90,83,27,1f,84,90,b0,90,20,aa,
58,d2,b3,22,1b,59,e9,fc,9d,ed,54,d7,44,39,1f,aa,24,7a,7e,b2,b0,57,09,b4,40,\
"??"=hex:c1,f5,2f,71,8a,96,9f,69,08,24,14,eb,1f,4c,98,a9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,df,b1,b9,34,11,
5d,95,7e,c8,28,51,af,b0,29,a3,98,13,b0,5c,89,e3,ce,8b,3b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,4c,b5,e2,ca,c1,
c6,97,d2,71,3b,04,66,8b,46,0d,96,6f,8a,20,f2,e3,8b,ba,59,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,3a,a7,0f,b6,9f,
a7,c2,49,25,da,ec,7e,55,20,c9,26,27,23,6f,54,3f,3d,9e,c4,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,20,ec,a6,93,42,
34,9f,1d,3e,1e,9e,e0,57,5a,93,61,94,48,42,cc,59,fa,88,bf,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,f4,a5,b1,a7,04,
43,79,f5,cd,44,cd,b9,a6,33,6c,cd,30,ca,0e,79,ed,20,dc,e1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,43,ee,8c,06,3f,
4d,e9,65,b0,18,ed,a7,3f,8d,37,a4,47,0d,75,c4,17,9b,15,a1,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,ca,9a,da,e3,7b,
74,c8,ec,31,77,e1,ba,b1,f8,68,02,82,e4,1a,6c,65,2f,97,88,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,3a,5b,24,00,49,
f9,02,1d,83,6c,56,8b,a0,85,96,ab,b1,38,e4,e8,72,29,7c,12,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a1,f9,27,33,e3,
22,02,21,51,fa,6e,91,28,9e,14,cc,be,02,08,ff,de,97,11,e4,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,77,f3,ce,0d,a1,
6b,69,a0,b1,cd,45,5a,a8,c4,f8,b9,8c,6e,21,05,28,96,55,db,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,04,02,10,f2,a7,
69,f7,3f,e3,0e,66,d5,eb,bc,2f,6b,d4,c1,dc,57,82,d0,11,de,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,fb,f8,6c,ee,34,
26,ce,26,fa,ea,66,7f,d4,3b,6b,70,5b,c2,7a,89,79,6a,64,60,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6166"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\EPSON\eEBAPI\eEBSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\Crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\program files\Microsoft Office\Office\OUTLOOK.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Vidalia Bundle\Tor\tor.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-04-02 16:01:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 20:01:18

Pre-Run: 36,495,593,472 bytes free
Post-Run: 36,387,450,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

339 --- E O F --- 2009-04-01 19:06:20




**********************************************************************


LOOK2.TXT LOG


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
VIDC.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
VIDC.IYUV REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
VIDC.YVYU REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\System32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
msacm.l3acm REG_SZ C:\WINDOWS\System32\l3codeca.acm
MSVideo8 REG_SZ VfWWDM32.dll
wave1 REG_SZ wdmaud.drv
mixer1 REG_SZ wdmaud.drv
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
wave2 REG_SZ wdmaud.drv
midi1 REG_SZ wdmaud.drv
mixer2 REG_SZ wdmaud.drv
wave3 REG_SZ wdmaud.drv
midi2 REG_SZ wdmaud.drv
mixer3 REG_SZ wdmaud.drv
msacm.dvacm REG_SZ dvacm.acm
VIDC.MP42 REG_SZ mpg4c32.dll
VIDC.MPG4 REG_SZ mpg4c32.dll
vidc.tscc REG_SZ tsccvid.dll
msacm.voxacm160 REG_SZ vct3216.acm
vidc.DIVX REG_SZ DivX.dll
wave4 REG_SZ wdmaud.drv
midi3 REG_SZ wdmaud.drv
mixer4 REG_SZ wdmaud.drv
wave5 REG_SZ wdmaud.drv
midi4 REG_SZ wdmaud.drv
mixer5 REG_SZ wdmaud.drv
wave6 REG_SZ wdmaud.drv
midi5 REG_SZ wdmaud.drv
mixer6 REG_SZ wdmaud.drv
wave7 REG_SZ wdmaud.drv
midi6 REG_SZ wdmaud.drv
mixer7 REG_SZ wdmaud.drv
wave8 REG_SZ wdmaud.drv
midi7 REG_SZ wdmaud.drv
mixer8 REG_SZ wdmaud.drv
wave9 REG_SZ wdmaud.drv
midi8 REG_SZ wdmaud.drv
mixer9 REG_SZ wdmaud.drv
midi9 REG_SZ wdmaud.drv
VIDC.MJPG REG_SZ Pvmjpg21.dll
VIDC.PIM1 REG_SZ pclepim1.dll
VIDC.UYVY REG_SZ C:\WINDOWS\system32\msyuv.dll
VIDC.YUY2 REG_SZ ATIVYUY.DLL
VIDC.YVU9 REG_SZ IYVU9_32.DLL
VIDC.VCR2 REG_SZ ATIVCR2.DLL
VIDC.DRAW REG_SZ DVIDEO.DLL
VIDC.VCR1 REG_SZ ATIVCR1.DLL
VIDC.YV12 REG_SZ ATIYUV12.DLL
VIDC.YU12 REG_SZ ATIYUV12.DLL
aux REG_SZ wdmaud.drv
VIDC.vp60 REG_SZ vp6vfw.dll
aux2 REG_SZ wdmaud.drv

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP
wave REG_SZ rdpsnd.dll
MaxBandwidth REG_DWORD 0x56b9
wavemapper REG_SZ msacm32.drv
EnableMP3Codec REG_DWORD 0x1
midimapper REG_SZ midimap.dll
mixer REG_SZ rdpsnd.dll


****************************************************************


I've since removed all the old javascript runtimes as you suggested. Why their installers do not automatically uninstall older versions is beyond me. :thumbup2:

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:02 AM

Posted 04 April 2009 - 07:59 PM

Hello,

Good all around. :thumbup2: No .sys files in drivers32 at all, so you did good there.

I see some clutter lines in DDS, so please download HijackThis and we'll get rid of them. Also, please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Post that report in your reply. :) Still running all right then?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Lincoln Adams

Lincoln Adams
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 05 April 2009 - 01:17 AM

No sign of the virus or any unusual behavior. Just a bit unnerved that it so easily managed to steal my FTP passwords. I hope that's as far as it got.

Here's my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:40 AM, on 4/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Outlock\Outlock.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\twhirl\twhirl.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\YPOPs\ypops.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\John Smith\My Documents\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Touchstone - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O4 - Startup: Scripture Reminder.lnk = C:\Program Files\Scripture Reminder\sr20.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Startup: YPOPs.lnk = C:\Program Files\YPOPs\ypops.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Outlock.lnk = C:\Program Files\Outlock\Outlock.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: twhirl.lnk = C:\Program Files\twhirl\twhirl.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O8 - Extra context menu item: Subscribe to NewzCrawler - file://C:\Program Files\NewzCrawler\context.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1092974381661
O16 - DPF: {8036B0D5-7572-443C-ACA0-620FBCC3F718} (Eversun Software CuteUpload Control(Free Edition)) - http://www.cuteupload.com/uploadtest/CuteUpload-Free.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8ef52e18830e0) (gupdate1c8ef52e18830e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Hermes EMail Server (SvcHermes) - Unknown owner - C:\Program Files\Alixoft\Hermes\HermesSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/

--
End of file - 13485 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:02 AM

Posted 05 April 2009 - 01:32 AM

Hi there,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: Touchstone - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


Also, if you didn't set that 024 yourself, check it.

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

For the 024, if you checked it.....Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Are your other scans coming up clean then?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Lincoln Adams

Lincoln Adams
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 05 April 2009 - 01:05 PM

Ok, completed all the tasks. I did another sweep with MAM and it reports clean. :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users