Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Redirecting While Using Internet Explorer


  • Please log in to reply
12 replies to this topic

#1 Fraking PC!!

Fraking PC!!

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 02 June 2007 - 02:31 PM

Please help me. I've been reading through the various forums to try and diagnose what exactly is/has happend to my computer. Best as I can recall all of my problems happend after my computer attempted a windows update. The first thing that appeared to happen was I had malware change the appearance of my desktop from my assigned background to a new bright red one...when other programs were going into startup after rebooting I still could see the orignal background on the edges...whenever I attempted to reset the background it would reset back to the red background as a "default". I would try and attempt to use the windows task manager and find out what was still running (it prevented me from opening taskmananger), and try to open the internet (force me to a default "Spyware removal software to buy"... didn't do that....so I used my other computer to start reviewing what to do.....

I have downloaded "Smitfraud", AVG anti-spy, VundoFix, CCleaner, ComboFix, HijackThis.....


So far the machine does not show the damn "windows alert" taskbar triangle....saying I have spyware and adware affecting computer performance....

Once the taskbar was cleaned. I would get "popup" showing that windows had detected a WIN32.trojan.rx. Over the course of time, this has been remove and is no longer showing up.

THe new problem appears to be whenever I open or move to new interntet pages, the system forces me to an adware/spyware removal "page" and I have to use the back button and re-select my intended page.


In my searches....one thing has popped up repeatedly and will not come of my machine....Backdoor.small.os (have not been able to find out what it is or how to get rid of it).

My most recent Hijack Report is shown below. Please help me determine the next course of action....

Thanks in advance.



Logfile of HijackThis v1.99.1
Scan saved at 11:46:16 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\Program Files\DeskMates\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Tavia DeskMate.LNK = C:\Program Files\DeskMates\Tavia\Tavia.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145856458406
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B3921A1-BA2A-45B7-ABBD-BA258C950BF2}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{222D3ABD-ED10-47B5-9E7B-3E8CB4984AB8}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2EE2ABE-7371-47DF-9FF0-DD5E43080EF5}: NameServer = 194.54.90.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B3921A1-BA2A-45B7-ABBD-BA258C950BF2}: NameServer = 194.54.90.226
O17 - HKLM\System\CS3\Services\Tcpip\..\{1B3921A1-BA2A-45B7-ABBD-BA258C950BF2}: NameServer = 194.54.90.226
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 02 June 2007 - 03:25 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Fraking PC!! :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


**************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply,along with a new Hijackthis log.
Posted Image
Posted Image

#3 Fraking PC!!

Fraking PC!!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 02 June 2007 - 04:03 PM

Thanks for the help....attached below is the Combofix report:

"Joshua Knutson" - 2007-06-02 13:41:37 Service Pack 2 NTFS
ComboFix 07-06-2.5.Ex - Running from: "C:\Documents and Settings\Joshua Knutson\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 )))))))))))))))))))))))))))))))


2007-06-02 11:45 <DIR> d-------- C:\hijackthis
2007-06-02 10:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-02 09:43 <DIR> d-------- C:\VundoFix Backups
2007-06-01 19:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-01 19:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-01 19:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-31 21:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-31 21:23 <DIR> d-------- C:\Program Files\CCleaner
2007-05-31 21:08 4,670 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-31 20:57 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-31 19:22 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-31 19:22 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-31 19:22 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-31 19:22 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-31 19:22 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-31 19:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-31 19:22 <DIR> d-------- C:\DOCUME~1\JOSHUA~1\APPLIC~1\PC Tools
2007-05-31 19:21 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-31 18:43 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-31 18:38 <DIR> dr-h----- C:\DOCUME~1\Guest\APPLIC~1\yahoo!
2007-05-31 18:37 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-05-31 18:35 786,432 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Real
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\HotSync
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Help
2007-05-31 18:26 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-05-31 08:11 12 --a------ C:\WINDOWS\system32\sl.bin
2007-05-31 08:10 9,728 --a------ C:\WINDOWS\2020search.dll
2007-05-31 08:10 32,768 --a------ C:\WINDOWS\cdsm32.dll
2007-05-31 08:10 31,488 --a------ C:\WINDOWS\stcloader.exe
2007-05-31 08:10 28,416 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-05-31 08:10 28,416 --a------ C:\WINDOWS\saiemod.dll
2007-05-31 08:10 27,648 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-05-31 08:10 25,088 --a------ C:\WINDOWS\system32\msdn_lib.dll
2007-05-31 08:10 24,832 --a------ C:\WINDOWS\voiceip.dll
2007-05-31 08:10 23,808 --a------ C:\WINDOWS\mssvr.exe
2007-05-31 08:10 23,808 --a------ C:\WINDOWS\2020search2.dll
2007-05-31 08:10 21,248 --a------ C:\WINDOWS\180ax.exe
2007-05-31 08:10 20,992 --a------ C:\WINDOWS\satmat.exe
2007-05-31 08:10 20,480 --a------ C:\WINDOWS\vxddsk.exe
2007-05-31 08:10 20,224 --a------ C:\WINDOWS\updatetc.exe
2007-05-31 08:10 20,224 --a------ C:\WINDOWS\swin32.dll
2007-05-31 08:10 19,200 --a------ C:\WINDOWS\bjam.dll
2007-05-31 08:10 18,944 --a------ C:\WINDOWS\flt.dll
2007-05-31 08:10 18,432 --a------ C:\WINDOWS\mspphe.dll
2007-05-31 08:10 16,128 --a------ C:\WINDOWS\bi.dll
2007-05-31 08:10 14,848 --a------ C:\WINDOWS\7search.dll
2007-05-31 08:10 12,800 --a------ C:\WINDOWS\Biprep.exe
2007-05-31 08:10 12,544 --a------ C:\WINDOWS\system32\wml.exe
2007-05-31 08:10 12,544 --a------ C:\WINDOWS\pbar.dll
2007-05-31 08:10 12,032 --a------ C:\WINDOWS\bokja.exe
2007-05-31 08:10 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-05-31 08:10 11,520 --a------ C:\WINDOWS\wml.exe
2007-05-31 08:10 10,752 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-05-31 08:10 10,240 --a------ C:\WINDOWS\salm.exe
2007-05-29 17:58 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-29 17:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-29 17:57 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-05-29 17:57 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-25 20:43 1 --a------ C:\WINDOWS\system32\ps.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 18:37:12 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000006-00001102-00000004-10071102}.dat
2007-06-02 18:37:12 288 ----a-w C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-10071102}.dat
2007-05-30 15:36:00 -------- d-----w C:\Program Files\DeskMates
2007-05-06 21:35:39 -------- d-----w C:\Program Files\AutoCAD 2002
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-18 20:19:39 551 ----a-w C:\WINDOWS\checkip.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{38847C4B-1AB1-4A47-9026-9A6CF7B43D31}=C:\WINDOWS\system32\msdn_lib.dll [2007-05-31 08:10]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2006-10-12 11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"pccguide.exe"="C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" [2003-10-27 16:45]
"PCCClient.exe"="C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" [2003-10-27 16:36]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" [2003-10-27 16:40]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 12:31]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00]
"CTHelper"="CTHELPER.EXE" [2002-12-18 23:59 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 02:04]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe" [2003-09-19 21:23]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe" [2004-01-09 17:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 21:25]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 01:23]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"DeskMateAutoUpdate"="C:\Program Files\DeskMates\DeskMateAutoUpdate.exe" [2007-03-12 20:29]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 C:\WINDOWS\system32\ico.exe]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2003-12-13 11:07]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2006-06-07 14:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-08 18:04]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"@"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-12-03 08:17]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-11-20 06:10]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 10:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [2003-12-03 08:13]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 16:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05ab4bc6-6ffb-11da-a02d-000c7615d300}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 13:43:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run?W?D~??A~????????????????????h?@?x?????B~D??????sx??s?^??????y??w????@@@????|D@@?????>??w?????;2?H??????|???|???????|L(?s?;2??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-02 13:44:27
C:\ComboFix-quarantined-files.txt ... 2007-06-02 13:44
C:\ComboFix2.txt ... 2007-06-02 10:04

--- E O F ---


Fixwareout.....

Note upon completion of the run.....i recieved the below:

Finished!
Note if you have internet connection problems find and double left click the registry file dnsbak.reg located in the root of the drive windows is installed (normaly c:\) and if you did be sure to mention it to your helper.
Next a text will open, post it for the forum helper.....



Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /run"
"Ulead Photo Express Calendar Checker"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express My Scrapbook 2.0\\calcheck.exe"
"NovaBackup 7 Tray Control"="\"C:\\Program Files\\NovaStor\\NovaBackup\\NbkCtrl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Ink Monitor"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"DeskMateAutoUpdate"="C:\\Program Files\\DeskMates\\DeskMateAutoUpdate.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"USIUDF_Eject_Monitor"="C:\\Program Files\\Common Files\\Ulead Systems\\DVD\\USISrv.exe"
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SDTray"="\"C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
@=""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RcMan.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»



ALSO....i was looking through the C: drive at files added at around the time when problems started to happen. There are a number of .dll files that all show the same date of modification......what had led me to looking at these files was the error messages that I had recieved at the starta about "msdn_lib.dll not found not found". I'm not sure if this will help.

#4 Fraking PC!!

Fraking PC!!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 02 June 2007 - 04:09 PM

oops. forgot the new hjt file.....

Logfile of HijackThis v1.99.1
Scan saved at 2:09:23 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\Program Files\DeskMates\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Tavia DeskMate.LNK = C:\Program Files\DeskMates\Tavia\Tavia.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145856458406
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 02 June 2007 - 05:47 PM

Click on Start/Control Panel/Add or Remove Programs and remove DeskMates if present,then restart your pc.

******************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\2020search.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\wml.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\salm.exe

Folders to delete:
C:\Program Files\DeskMates

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

******************************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\Program Files\DeskMates\DeskMateAutoUpdate.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab

Exit Hijackthis.

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#6 Fraking PC!!

Fraking PC!!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 04 June 2007 - 10:17 PM

Removed/unistalled requested files.

Upon attempting to run Avenger, I recieved an error: Selected file does not appear to be a valid script. Then I got an error box saying error code 0 (zero)....(hence no report).


Ran Hijack and checked the selected files.

Launched SuperAntispyware after updating and followed directions and recieved this as the most recent log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/04/2007 at 07:57 PM

Application Version : 3.8.1002

Core Rules Database Version : 3248
Trace Rules Database Version: 1259

Scan type : Complete Scan
Total Scan Time : 00:55:21

Memory items scanned : 464
Memory threats detected : 0
Registry items scanned : 5675
Registry threats detected : 0
File items scanned : 42292
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@atdmt[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@serving-sys[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@mediaplex[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@zedo[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@ads.pointroll[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@msnportal.112.2o7[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@doubleclick[2].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@bs.serving-sys[2].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@questionmarket[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@tribalfusion[1].txt
C:\Documents and Settings\Joshua Knutson\Cookies\joshua knutson@revsci[2].txt

Trojan.Downloader-FakeRX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FD7C95D7-5448-4FDB-986C-6243BF48F557}\RP783\A0072524.DLL

Now everything more or less works correctly, however whenever I start up explorer after a closing, I get an box that says basically my network connection is not recognized and to select work offline or retry (I selected retry to get on).....any thoughts?

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 05 June 2007 - 07:07 AM

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,along with a new Hijackthis log please.
Posted Image
Posted Image

#8 Fraking PC!!

Fraking PC!!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 06 June 2007 - 07:54 PM

Combo Fix Log:

"Joshua Knutson" - 2007-06-06 17:45:42 Service Pack 2 NTFS
ComboFix 07-06-2.5.Ex - Running from: "C:\Documents and Settings\Joshua Knutson\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-03 21:28 <DIR> d-------- C:\DOCUME~1\JOSHUA~1\APPLIC~1\Comodo
2007-06-03 21:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Comodo
2007-06-03 21:25 <DIR> d-------- C:\Program Files\Comodo
2007-06-03 14:23 6,912 --------- C:\WINDOWS\system32\drivers\FlashSys.sys
2007-06-03 14:23 18,359 --------- C:\WINDOWS\system32\Ntaccess.sys
2007-06-02 19:12 <DIR> d-------- C:\Avenger
2007-06-02 19:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-02 19:06 <DIR> d-------- C:\DOCUME~1\JOSHUA~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-02 19:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-06-02 19:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 15:17 <DIR> d-------- C:\WINDOWS\CSC
2007-06-02 13:47 7,145 --a------ C:\dnsbak.reg
2007-06-02 11:45 <DIR> d-------- C:\hijackthis
2007-06-02 10:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-02 09:43 <DIR> d-------- C:\VundoFix Backups
2007-06-01 19:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-01 19:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-01 19:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-31 21:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-31 21:23 <DIR> d-------- C:\Program Files\CCleaner
2007-05-31 21:08 4,670 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-31 20:57 630,784 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-31 19:21 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-31 18:43 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-31 18:38 <DIR> dr-h----- C:\DOCUME~1\Guest\APPLIC~1\yahoo!
2007-05-31 18:37 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-05-31 18:35 573,440 --a------ C:\DOCUME~1\Guest\NTUSER.DAT
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Real
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\HotSync
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Help
2007-05-31 18:26 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-05-31 08:11 12 --a------ C:\WINDOWS\system32\sl.bin
2007-05-31 08:10 9,728 --a------ C:\WINDOWS\2020search.dll
2007-05-31 08:10 28,416 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-05-31 08:10 28,416 --a------ C:\WINDOWS\saiemod.dll
2007-05-31 08:10 27,648 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-05-31 08:10 23,808 --a------ C:\WINDOWS\mssvr.exe
2007-05-31 08:10 20,992 --a------ C:\WINDOWS\satmat.exe
2007-05-31 08:10 20,480 --a------ C:\WINDOWS\vxddsk.exe
2007-05-31 08:10 20,224 --a------ C:\WINDOWS\updatetc.exe
2007-05-31 08:10 20,224 --a------ C:\WINDOWS\swin32.dll
2007-05-31 08:10 19,200 --a------ C:\WINDOWS\bjam.dll
2007-05-31 08:10 18,944 --a------ C:\WINDOWS\flt.dll
2007-05-31 08:10 18,432 --a------ C:\WINDOWS\mspphe.dll
2007-05-31 08:10 14,848 --a------ C:\WINDOWS\7search.dll
2007-05-31 08:10 12,800 --a------ C:\WINDOWS\Biprep.exe
2007-05-31 08:10 12,544 --a------ C:\WINDOWS\system32\wml.exe
2007-05-31 08:10 12,544 --a------ C:\WINDOWS\pbar.dll
2007-05-31 08:10 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-05-31 08:10 11,520 --a------ C:\WINDOWS\wml.exe
2007-05-31 08:10 10,752 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-05-31 08:10 10,240 --a------ C:\WINDOWS\salm.exe
2007-05-29 17:58 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-29 17:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-29 17:57 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-05-29 17:57 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-25 20:43 1 --a------ C:\WINDOWS\system32\ps.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 18:28:26 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000006-00001102-00000004-10071102}.dat
2007-06-05 18:28:26 288 ----a-w C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-10071102}.dat
2007-06-03 21:25:41 -------- d-----w C:\Program Files\Setup Files
2007-06-03 21:23:07 -------- d-----w C:\Program Files\MSI
2007-06-03 00:34:49 -------- d-----w C:\Program Files\DeskMates
2007-05-06 21:35:39 -------- d-----w C:\Program Files\AutoCAD 2002
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-18 20:19:39 551 ----a-w C:\WINDOWS\checkip.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2006-10-12 11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 12:31]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00]
"CTHelper"="CTHELPER.EXE" [2002-12-18 23:59 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 02:04]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe" [2003-09-19 21:23]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe" [2004-01-09 17:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 21:25]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 01:23]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 C:\WINDOWS\system32\ico.exe]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2003-12-13 11:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-08 18:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 11:10]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 17:01]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-03 21:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"@"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-12-03 08:17]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-11-20 06:10]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 10:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [2003-12-03 08:13]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\SetupWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05ab4bc6-6ffb-11da-a02d-000c7615d300}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 17:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run?W?D~??A~????????????????????h?@?x?????B~D??????sx??s????????y??w????@@@????|D@@?????>??w?????;2?H??????|???|???????|L(?s?;2??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-06 17:48:49
C:\ComboFix-quarantined-files.txt ... 2007-06-06 17:48
C:\ComboFix2.txt ... 2007-06-02 13:44
C:\ComboFix3.txt ... 2007-06-02 10:04

--- E O F ---


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:51:35 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145856458406
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 June 2007 - 05:03 AM

Find and delete:
C:\Program Files\DeskMates

********************************

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\2020search.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\wml.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\salm.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

******************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

Restart your pc.
Post a new Hijackthis log please.
Let me know how its going now.
Posted Image
Posted Image

#10 Fraking PC!!

Fraking PC!!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 07 June 2007 - 02:17 PM

When I ran the OTmoveIT, I recieved multiple messages saying:

The Application or DLL c:\windows\2020search.dll is not a valid Windows image. Please check this against your installation diskette. (no otion but to click ok), this happened on about ten items or so. Once the program was completed the files showed that they were moved but not registered??? Don't know if that helps any.....

I ran the ATFCleaner without any apparent problems, the end notice said that it freed ~37 MB.



The New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:37 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145856458406
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\NovaStor\NovaBackup\NSENGINE.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 June 2007 - 02:45 PM

Your log looks clean,please rescan with Combofix and post the entire contents of C:\Combofix.txt
Let me know how your pc is running now.
Posted Image
Posted Image

#12 Fraking PC!!

Fraking PC!!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona
  • Local time:12:17 PM

Posted 07 June 2007 - 09:16 PM

Most recent Combofix log:

"Joshua Knutson" - 2007-06-07 18:28:32 Service Pack 2 NTFS
ComboFix 07-06-2.5.Ex - Running from: "C:\Documents and Settings\Joshua Knutson\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-03 21:28 <DIR> d-------- C:\DOCUME~1\JOSHUA~1\APPLIC~1\Comodo
2007-06-03 21:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Comodo
2007-06-03 21:25 <DIR> d-------- C:\Program Files\Comodo
2007-06-03 14:23 6,912 --------- C:\WINDOWS\system32\drivers\FlashSys.sys
2007-06-03 14:23 18,359 --------- C:\WINDOWS\system32\Ntaccess.sys
2007-06-02 19:12 <DIR> d-------- C:\Avenger
2007-06-02 19:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-02 19:06 <DIR> d-------- C:\DOCUME~1\JOSHUA~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-02 19:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-06-02 19:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 15:17 <DIR> d-------- C:\WINDOWS\CSC
2007-06-02 13:47 7,145 --a------ C:\dnsbak.reg
2007-06-02 11:45 <DIR> d-------- C:\hijackthis
2007-06-02 10:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-02 09:43 <DIR> d-------- C:\VundoFix Backups
2007-06-01 19:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-01 19:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-01 19:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-31 21:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-31 21:23 <DIR> d-------- C:\Program Files\CCleaner
2007-05-31 21:08 4,670 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-31 20:57 630,784 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-31 19:21 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-31 18:43 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-31 18:38 <DIR> dr-h----- C:\DOCUME~1\Guest\APPLIC~1\yahoo!
2007-05-31 18:37 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-05-31 18:35 573,440 --a------ C:\DOCUME~1\Guest\NTUSER.DAT
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Real
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\HotSync
2007-05-31 18:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Help
2007-05-31 08:11 12 --a------ C:\WINDOWS\system32\sl.bin
2007-05-31 08:10 18,944 --a------ C:\WINDOWS\flt.dll
2007-05-31 08:10 18,432 --a------ C:\WINDOWS\mspphe.dll
2007-05-31 08:10 14,848 --a------ C:\WINDOWS\7search.dll
2007-05-31 08:10 12,800 --a------ C:\WINDOWS\Biprep.exe
2007-05-31 08:10 12,544 --a------ C:\WINDOWS\system32\wml.exe
2007-05-29 17:58 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-29 17:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-29 17:57 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-05-29 17:57 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-25 20:43 1 --a------ C:\WINDOWS\system32\ps.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 18:28:26 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000006-00001102-00000004-10071102}.dat
2007-06-05 18:28:26 288 ----a-w C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-10071102}.dat
2007-06-03 21:25:41 -------- d-----w C:\Program Files\Setup Files
2007-06-03 21:23:07 -------- d-----w C:\Program Files\MSI
2007-05-06 21:35:39 -------- d-----w C:\Program Files\AutoCAD 2002
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-18 20:19:39 551 ----a-w C:\WINDOWS\checkip.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2006-10-12 11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 12:31]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00]
"CTHelper"="CTHELPER.EXE" [2002-12-18 23:59 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 02:04]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe" [2003-09-19 21:23]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe" [2004-01-09 17:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 21:25]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 01:23]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 C:\WINDOWS\system32\ico.exe]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2003-12-13 11:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-08 18:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 11:10]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 17:01]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-03 21:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"@"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-12-03 08:17]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-11-20 06:10]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 10:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [2003-12-03 08:13]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\SetupWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05ab4bc6-6ffb-11da-a02d-000c7615d300}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 18:30:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run?W?D~??A~????????????????????h?@?x?????B~D??????sx??s????????y??w????@@@????|D@@?????>??w?????;2?H??????|???|???????|L(?s?;2??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 18:31:12
C:\ComboFix-quarantined-files.txt ... 2007-06-07 18:30
C:\ComboFix2.txt ... 2007-06-06 17:48
C:\ComboFix3.txt ... 2007-06-02 13:44

--- E O F ---

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 08 June 2007 - 06:58 AM

Download Killbox by Option^Explicit:
http://download.bleepingcomputer.com/spyware/KillBox.zip
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\mspphe.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\Biprep.exe
C:\WINDOWS\system32\wml.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

********************

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Edited by RichieUK, 08 June 2007 - 06:58 AM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users