Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've Got A Virus/trojan Problem, But Mcafee Can't Fix It!


  • This topic is locked This topic is locked
22 replies to this topic

#1 smtent379

smtent379

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 20 June 2007 - 03:33 PM

Ok, here's the deal. I'm not sure what happened or how it did, but my pc has been infected with a number of trojans and viruses over the past few days. McAfee keeps finding them, but tells me it can't fix the problems. I've also had no luck with Spybot either. I was hoping someone here could help me. I've included a copy of my HijackThis log in this message. Please let me know what I need to do to get my pc running normally again. All of these extra popups and whatnot are driving me crazy! Thank you in advance for any help or advice you may give.

Logfile of HijackThis v1.99.1
Scan saved at 4:25:02 PM, on 06/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1178497581\ee\aolsoftware.exe
c:\program files\common files\aol\1178497581\ee\aim6.exe
c:\program files\common files\aol\1178497581\ee\anotify.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ldmypfkl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [ihqhgrsh.exe] C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1171511507640
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ldmypfkl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 20 June 2007 - 07:43 PM

Hello and welcome to BC

You might like to print these instructions so that you'll have access to them later when you're in Safe Mode. Please follow the instructions in the order they are presented.

Click Download RogueRemover . Select "Save" and save to your desktop.

Please put RogueRemover in it's own folder, (I create a new folder in C:\ named RogueRemover).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder RogueRemover.

Go to where your RogueRemover.zip is and Right Click on RogueRemover.zip, select Cut, then open the new folder you just created (RogueRemove) Right Click in the folder and select paste.

Double click on the file named RogueRemover.zip and unzip it to C:\RogueRemover

Double click on the file named RogueRemover.exe and select Scan.
The program will walk you through the remaining steps.

=================================

Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet.

=================================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it. Do not scan with it yet.

======================================
  • Please download AVG Anti-Spyware and save it to your desktop.
  • Double click on avgas-setup-7.5.1.36.exe to install AVG Anti-Spyware. Install it in the default location.
  • Once installed, start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  • In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  • Now click on the Scanner button at the top.
  • Select the Settings tab.
  • Under How to act?, click on Recommended actions and select Quarantine.
  • Under How to scan?, check (tick) all the boxes.
  • Under Possibly unwanted software:, check (tick) all the boxes.
  • Under Reports, select Do not automatically generate reports
  • Under What to scan?, select Scan every file.
Do not run a scan yet.

======================================

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
=======================================

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

======================================

Next go to Start>Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"


Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

=====================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

========================================

Still in Safe Mode:
  • Go to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  • Click on the Scanner button at the top.
  • Select the Scan tab.
  • Click on Complete System Scan to start the scan.
  • When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

========================================

Reboot into Normal Mode.

=========================================

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file

=========================================

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
=========================================

Please post back the Smitfraud rapport.txt, AVG Anti Spyware report, Combofix.txt and a fresh HijackThis log.

Edited by amateur, 20 June 2007 - 07:45 PM.


#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 24 June 2007 - 12:05 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.



Edit: Re-opened as per pm request.

Edited by amateur, 28 June 2007 - 06:45 AM.


#4 smtent379

smtent379
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 29 June 2007 - 11:04 PM

Ok...here are all the requested logs. It doesn't seem like it worked, since I've still got all kinds of crazy popups...

SmitFraudFix v2.195

Scan done at 1:19:45.76, 06/28/2007
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1FC3E0E1-32F2-4157-8AEC-8D9A0D4D5F55}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1FC3E0E1-32F2-4157-8AEC-8D9A0D4D5F55}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1FC3E0E1-32F2-4157-8AEC-8D9A0D4D5F55}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:52:13 AM 06/28/2007

+ Scan result:



C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP531\A0069156.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\Steve\Application Data\Ultimate Fixer -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\Documents and Settings\Steve\Application Data\Ultimate Fixer\backup -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\Documents and Settings\Steve\Application Data\Ultimate Fixer\logs -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP531\A0069155.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bghmtlux.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bmbtofnr.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cdrljrua.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ncyhxxmj.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xqnunibu.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\winwil32.dll.vir -> Trojan.Dialer.qn : Cleaned with backup (quarantined).


::Report end

ComboFix 07-06-21 - C:\Documents and Settings\Steve\Desktop\ComboFix.exe
"Steve" - 2007-06-28 2:58:14 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ooembhfj.dll
C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-28 00:27 128,576 --a--c--- C:\WINDOWS\system32\xfjxyycx.dll
2007-06-27 00:21 66,112 --a--c--- C:\WINDOWS\system32\vgmoiuxe.dll
2007-06-23 23:52 4,672 --a--c--- C:\WINDOWS\system32\ccsvekbe.exe
2007-06-21 00:34 49,152 --a--c--- C:\WINDOWS\nircmd.exe
2007-06-21 00:32 31,254 --a--c--- C:\WINDOWS\system32\gebaxuu.dll
2007-06-20 22:36 1,666 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-06-20 22:18 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-20 22:14 <DIR> d----c--- C:\Program Files\CCleaner
2007-06-20 22:06 <DIR> d----c--- C:\Program Files\RogueRemover
2007-06-18 21:48 <DIR> d----c--- C:\DOCUME~1\Steve\APPLIC~1\Ultimate Fixer
2007-06-18 20:48 <DIR> d----c--- C:\WINDOWS\system32\atwsettl
2007-06-18 17:50 286,208 --a--c--- C:\WINDOWS\system32\scchk32.exe
2007-06-18 17:47 57,344 --a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ihqhgrsh.exe
2007-06-09 02:31 <DIR> d----c--- C:\Program Files\Nero
2007-06-09 02:31 <DIR> d----c--- C:\Program Files\Common Files\Ahead
2007-06-09 02:31 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-08 21:55 56,832 --a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\twbutobw.exe
2007-06-08 15:12 35 --a--c--- C:\DOCUME~1\Steve\readme.bat
2007-06-08 14:55 <DIR> d----c--- C:\DOCUME~1\Steve\APPLIC~1\Ahead
2007-06-08 14:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-02 22:45 <DIR> d----c--- C:\DOCUME~1\Steve\Contacts
2007-06-02 22:43 <DIR> d----c--- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 02:33:30 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\uTorrent
2007-06-09 02:44:45 -------- dc----w C:\Program Files\Ahead
2007-06-07 04:04:55 -------- dc----w C:\Program Files\PokerStars
2007-06-07 04:01:18 -------- dc----w C:\Program Files\Common Files\Autodesk Shared
2007-06-07 04:00:16 -------- dc----w C:\Program Files\Apple Software Update
2007-05-26 23:01:15 -------- dc----w C:\Program Files\Common Files\Adaptec Shared
2007-05-23 05:17:19 -------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-05-23 05:16:32 -------- dc----w C:\Program Files\Microsoft ActiveSync
2007-05-23 05:16:01 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Juniper Networks
2007-05-23 04:40:32 -------- dc----w C:\Program Files\LimeWire
2007-05-22 06:33:58 -------- dc----w C:\Program Files\Winamp
2007-05-16 22:19:52 133,168 -c--a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-05-16 22:19:50 11,568 -c--a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 13:42:22 972,336 -c--a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-05-15 13:45:14 972,336 -c--a-w C:\WINDOWS\UNNeroVision.exe
2007-05-10 21:04:42 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\MusicIP
2007-05-10 20:28:35 -------- dc----w C:\Program Files\Windows Media Connect 2
2007-05-07 00:27:20 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\acccore
2007-05-07 00:26:53 -------- dc----w C:\Program Files\Common Files\AOL
2007-05-07 00:26:44 -------- dc----w C:\Program Files\Common Files\Nullsoft
2007-05-07 00:26:19 -------- dc----w C:\Program Files\Common Files\aolshare
2007-05-05 04:13:23 -------- dc----w C:\Program Files\Yahoo!
2007-05-05 04:08:26 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Aim
2007-05-05 04:08:16 -------- dc----w C:\Program Files\AIM
2007-05-05 04:07:45 -------- dc----w C:\Program Files\AOD
2007-04-25 14:21:15 144,896 -c--a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 20:42:50 972,336 -c--a-w C:\WINDOWS\UNRecode.exe
2007-04-18 16:12:23 2,854,400 -c--a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 -c--a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 -c--a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 -c--a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 04:47]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\vgmoiuxe.dll [2007-06-27 00:21]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{674DDFA6-BB3D-427B-961F-E9EEEF293004}=C:\WINDOWS\system32\gebaxuu.dll [2007-06-21 00:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]
"ihqhgrsh.exe"="C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe" [2007-06-18 17:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{674DDFA6-BB3D-427B-961F-E9EEEF293004}"="C:\WINDOWS\system32\gebaxuu.dll" [2007-06-21 00:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaxuu]
gebaxuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjig]
nnnkjig.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk
backup=C:\WINDOWS\pss\Venturi 2.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\caxchg]
C:\WINDOWS\caxchg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1178497581\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
C:\WINDOWS\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbutobw.exe]
C:\Documents and Settings\All Users\Application Data\twbutobw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 03:06:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-28 3:10:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-28 03:10
C:\ComboFix2.txt ... 2007-06-21 00:51

--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 12:07:18 AM, on 06/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1178497581\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\common files\aol\1178497581\ee\aim6.exe
c:\program files\common files\aol\1178497581\ee\anotify.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Steve\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\jdoeyycw.dll",forkonce
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1171511507640
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ldmypfkl.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 30 June 2007 - 05:45 AM

Hi,

Yes, you're still infected. I will be leaving on a long holiday starting next week. So, please respond to my posts as soon as you can because I would like to have this machine cleaned before I leave.

I notice that you are using LimeWire and uTorrent, p2p file sharing programs. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware. Even if the program you use is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove it from your system via Add/Remove Programs in Control Panel.

====================================

Delete the present version of Combofix from your desktop and download this fresh copy as it has just recently been updated.

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply and a fresh HijackThis log please.
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


#6 smtent379

smtent379
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 01 July 2007 - 12:07 AM

Ok, here goes...

"Steve" - 2007-07-01 0:38:52 - ComboFix 07-07-01.3 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\qmpeqhgu.dll
C:\WINDOWS\system32\vgmoiuxe.dll
C:\WINDOWS\system32\wvffhsxy.dll
C:\WINDOWS\system32\xfjxyycx.dll
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\ughqepmq.ini
C:\WINDOWS\system32\xcyyxjfx.ini
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\ssqpq.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Steve\APPLIC~1.\Ultimate Fixer
C:\WINDOWS\system32\atwsettl
C:\WINDOWS\system32\atwsettl\bg1.gif
C:\WINDOWS\system32\atwsettl\bgtop.gif
C:\WINDOWS\system32\atwsettl\bottom1.gif
C:\WINDOWS\system32\atwsettl\essentials.gif
C:\WINDOWS\system32\atwsettl\icon1.ico
C:\WINDOWS\system32\atwsettl\install1.gif
C:\WINDOWS\system32\atwsettl\left1.gif
C:\WINDOWS\system32\atwsettl\li.gif
C:\WINDOWS\system32\atwsettl\logo.gif
C:\WINDOWS\system32\atwsettl\main.htm
C:\WINDOWS\system32\atwsettl\mainframe.htm
C:\WINDOWS\system32\atwsettl\reinstall1.gif
C:\WINDOWS\system32\atwsettl\right1.gif
C:\WINDOWS\system32\atwsettl\s1.htm
C:\WINDOWS\system32\atwsettl\s2.htm
C:\WINDOWS\system32\atwsettl\s3.htm
C:\WINDOWS\system32\atwsettl\SMTop1.gif
C:\WINDOWS\system32\atwsettl\SMTop2.gif
C:\WINDOWS\system32\atwsettl\SMTop3.gif
C:\WINDOWS\system32\atwsettl\SMTop4.gif
C:\WINDOWS\system32\atwsettl\soft1_off.gif
C:\WINDOWS\system32\atwsettl\soft1_off_ext.gif
C:\WINDOWS\system32\atwsettl\soft1_on.gif
C:\WINDOWS\system32\atwsettl\soft1_on_ext.gif
C:\WINDOWS\system32\atwsettl\soft2_off.gif
C:\WINDOWS\system32\atwsettl\soft2_off_ext.gif
C:\WINDOWS\system32\atwsettl\soft2_on.gif
C:\WINDOWS\system32\atwsettl\soft2_on_ext.gif
C:\WINDOWS\system32\atwsettl\soft3_off.gif
C:\WINDOWS\system32\atwsettl\soft3_off_ext.gif
C:\WINDOWS\system32\atwsettl\soft3_on.gif
C:\WINDOWS\system32\atwsettl\soft3_on_ext.gif
C:\WINDOWS\system32\atwsettl\softbottom_off.gif
C:\WINDOWS\system32\atwsettl\softbottom_on.gif
C:\WINDOWS\system32\atwsettl\softleft_off.gif
C:\WINDOWS\system32\atwsettl\softleft_on.gif
C:\WINDOWS\system32\atwsettl\top1.gif
C:\WINDOWS\system32\atwsettl\top2.gif
C:\WINDOWS\system32\atwsettl\turnoff1.gif
C:\WINDOWS\system32\atwsettl\turnon1.gif
C:\WINDOWS\system32\drivers\etc\.protected


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-06-23 23:52 4,672 --a--c--- C:\WINDOWS\system32\ccsvekbe.exe
2007-06-21 00:34 49,152 --a--c--- C:\WINDOWS\nircmd.exe
2007-06-20 22:36 1,666 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-06-20 22:18 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-20 22:14 <DIR> d----c--- C:\Program Files\CCleaner
2007-06-20 22:06 <DIR> d----c--- C:\Program Files\RogueRemover
2007-06-18 17:50 286,208 --a--c--- C:\WINDOWS\system32\scchk32.exe
2007-06-09 02:31 <DIR> d----c--- C:\Program Files\Nero
2007-06-08 15:12 35 --a--c--- C:\DOCUME~1\Steve\readme.bat
2007-06-08 14:55 <DIR> d----c--- C:\DOCUME~1\Steve\APPLIC~1\Ahead
2007-06-08 14:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-02 22:45 <DIR> d----c--- C:\DOCUME~1\Steve\Contacts
2007-06-02 22:43 <DIR> d----c--- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 02:33:30 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\uTorrent
2007-06-09 02:44:45 -------- dc----w C:\Program Files\Ahead
2007-06-07 04:04:55 -------- dc----w C:\Program Files\PokerStars
2007-06-07 04:01:18 -------- dc----w C:\Program Files\Common Files\Autodesk Shared
2007-06-07 04:00:16 -------- dc----w C:\Program Files\Apple Software Update
2007-05-26 23:01:15 -------- dc----w C:\Program Files\Common Files\Adaptec Shared
2007-05-23 05:17:19 -------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-05-23 05:16:32 -------- dc----w C:\Program Files\Microsoft ActiveSync
2007-05-23 05:16:01 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Juniper Networks
2007-05-23 04:40:32 -------- dc----w C:\Program Files\LimeWire
2007-05-22 06:33:58 -------- dc----w C:\Program Files\Winamp
2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 21:04:42 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\MusicIP
2007-05-10 20:28:35 -------- dc----w C:\Program Files\Windows Media Connect 2
2007-05-07 00:27:20 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\acccore
2007-05-07 00:26:53 -------- dc----w C:\Program Files\Common Files\AOL
2007-05-07 00:26:44 -------- dc----w C:\Program Files\Common Files\Nullsoft
2007-05-07 00:26:19 -------- dc----w C:\Program Files\Common Files\aolshare
2007-05-05 04:13:23 -------- dc----w C:\Program Files\Yahoo!
2007-05-05 04:08:26 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Aim
2007-05-05 04:08:16 -------- dc----w C:\Program Files\AIM
2007-05-05 04:07:45 -------- dc----w C:\Program Files\AOD
2007-04-25 14:21:15 144,896 -c--a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 -c--a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 -c--a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 -c--a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 -c--a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 04:47 50376 --a--c--- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a--c--- C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaxuu]
gebaxuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjig]
nnnkjig.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk
backup=C:\WINDOWS\pss\Venturi 2.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\caxchg]
C:\WINDOWS\caxchg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1178497581\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
C:\WINDOWS\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbutobw.exe]
C:\Documents and Settings\All Users\Application Data\twbutobw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 01:03:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 1:05:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 01:05
C:\ComboFix2.txt ... 2007-06-28 03:10
C:\ComboFix3.txt ... 2007-06-21 00:51

--- E O F ---

1:12 AM 07/01/2007Logfile of HijackThis v1.99.1
Scan saved at 1:11:23 AM, on 07/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1178497581\ee\aolsoftware.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
c:\program files\common files\aol\1178497581\ee\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Steve\My Documents\Unzipped\hijackthis\HijackThis.exe
c:\program files\common files\aol\1178497581\ee\anotify.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1171511507640
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebaxuu - gebaxuu.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: nnnkjig - nnnkjig.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 01 July 2007 - 07:59 AM

Hi,

Looking much better.

Before fixing anything, open notepad and Copy/Paste the text inside the box (starting with @echo off......) below into it:

@echo off
:: http://www.bleepingcomputer.com/forums/top...tml#entry557706

For %%g in (
C:\Documents and Settings\All Users\Application Data\twbutobw.exe
C:\WINDOWS\system32\scchk32.exe
) do (
catchme -l nul -c %%g "%%~g.vir"
catchme -l nul -k "%%~g.vir"
if exist "%%~g.vir" del /a/f "%%~g.vir"
)>nul 2>&1

catchme -l nul -k %0 >nul
nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip"
echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip
nircmd wait 7000
del %0


Save this as Submit.bat Choose to "Save type as - All Files". It should look like this: Posted Image
Double click on Submit.bat & allow it to generate a zipped file called Submit [Date Time].zip
Please submit this file to ? http://www.bleepingcomputer.com/submit-malware.php?channel=4

=================================

Go to Start>Control Panel>Add and Remove Programs and remove ViewPoint

=================================

Open notepad and copy/paste the text inside the quotebox (starting from File:: .....) below into it:

File::
C:\Documents and Settings\All Users\Application Data\twbutobw.exe
C:\WINDOWS\system32\scchk32.exe

Folder::
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaxuu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjig]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbutobw.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

Save this as ComboFix-Do.txt Posted Image
Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe .
This will start ComboFix again. After reboot, (in case it asks to reboot), post the resultant log in your next reply together with a new HijackThislog. Let me know if you're still getting popups.

Edited by amateur, 01 July 2007 - 07:07 PM.


#8 smtent379

smtent379
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 01 July 2007 - 06:35 PM

Ok...here goes...again...

File::
C:\Documents and Settings\All Users\Application Data\twbutobw.exe
C:\WINDOWS\system32\scchk32.exe

Folder::
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaxuu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjig]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbutobw.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

"Steve" - 2007-07-01 19:34:51 - ComboFix 07-07-01.3 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Steve\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\scchk32.exe


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-06-23 23:52 4,672 --a--c--- C:\WINDOWS\system32\ccsvekbe.exe
2007-06-21 00:34 49,152 --a--c--- C:\WINDOWS\nircmd.exe
2007-06-20 22:36 1,666 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-06-20 22:18 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-20 22:14 <DIR> d----c--- C:\Program Files\CCleaner
2007-06-20 22:06 <DIR> d----c--- C:\Program Files\RogueRemover
2007-06-09 02:31 <DIR> d----c--- C:\Program Files\Nero
2007-06-08 15:12 35 --a--c--- C:\DOCUME~1\Steve\readme.bat
2007-06-08 14:55 <DIR> d----c--- C:\DOCUME~1\Steve\APPLIC~1\Ahead
2007-06-08 14:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-02 22:45 <DIR> d----c--- C:\DOCUME~1\Steve\Contacts
2007-06-02 22:43 <DIR> d----c--- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 02:33:30 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\uTorrent
2007-06-09 02:44:45 -------- dc----w C:\Program Files\Ahead
2007-06-07 04:04:55 -------- dc----w C:\Program Files\PokerStars
2007-06-07 04:01:18 -------- dc----w C:\Program Files\Common Files\Autodesk Shared
2007-06-07 04:00:16 -------- dc----w C:\Program Files\Apple Software Update
2007-05-26 23:01:15 -------- dc----w C:\Program Files\Common Files\Adaptec Shared
2007-05-23 05:17:19 -------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-05-23 05:16:32 -------- dc----w C:\Program Files\Microsoft ActiveSync
2007-05-23 05:16:01 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Juniper Networks
2007-05-23 04:40:32 -------- dc----w C:\Program Files\LimeWire
2007-05-22 06:33:58 -------- dc----w C:\Program Files\Winamp
2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 21:04:42 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\MusicIP
2007-05-10 20:28:35 -------- dc----w C:\Program Files\Windows Media Connect 2
2007-05-07 00:27:20 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\acccore
2007-05-07 00:26:53 -------- dc----w C:\Program Files\Common Files\AOL
2007-05-07 00:26:44 -------- dc----w C:\Program Files\Common Files\Nullsoft
2007-05-07 00:26:19 -------- dc----w C:\Program Files\Common Files\aolshare
2007-05-05 04:13:23 -------- dc----w C:\Program Files\Yahoo!
2007-05-05 04:08:26 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Aim
2007-05-05 04:08:16 -------- dc----w C:\Program Files\AIM
2007-05-05 04:07:45 -------- dc----w C:\Program Files\AOD
2007-04-25 14:21:15 144,896 -c--a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 -c--a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 -c--a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 -c--a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 -c--a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 04:47 50376 --a--c--- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a--c--- C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk
backup=C:\WINDOWS\pss\Venturi 2.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\caxchg]
C:\WINDOWS\caxchg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1178497581\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
C:\WINDOWS\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 19:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 19:37:49
C:\ComboFix-quarantined-files.txt ... 2007-07-01 19:37
C:\ComboFix2.txt ... 2007-07-01 01:05
C:\ComboFix3.txt ... 2007-06-28 03:10

--- E O F ---

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 01 July 2007 - 07:11 PM

Can you please reboot your computer, scan with HijackThis and post the log?

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 01 July 2007 - 09:51 PM

I see LimeWire and uTorrent installed. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware. Even if the program you use is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove it from your system via Add/Remove Programs in Control Panel.

Open notepad and copy/paste the text inside the quotebox (starting from File:: .....) below into it:

File::
C:\WINDOWS\system32\ccsvekbe.exe

Save this as ComboFix-Do.txt Posted Image
Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe .
This will start ComboFix again. After reboot, (in case it asks to reboot), post the resultant log in your next reply

===========================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.
Copy and paste that information from Kapersky in your next post please along with the HijackThis log.

#11 smtent379

smtent379
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 July 2007 - 06:34 PM

"Steve" - 2007-07-02 16:08:00 - ComboFix 07-07-01.3 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Steve\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ccsvekbe.exe


((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))


2007-06-21 00:34 49,152 --a--c--- C:\WINDOWS\nircmd.exe
2007-06-20 22:36 1,666 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-06-20 22:18 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-20 22:14 <DIR> d----c--- C:\Program Files\CCleaner
2007-06-20 22:06 <DIR> d----c--- C:\Program Files\RogueRemover
2007-06-09 02:31 <DIR> d----c--- C:\Program Files\Nero
2007-06-08 15:12 35 --a--c--- C:\DOCUME~1\Steve\readme.bat
2007-06-08 14:55 <DIR> d----c--- C:\DOCUME~1\Steve\APPLIC~1\Ahead
2007-06-08 14:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-02 22:45 <DIR> d----c--- C:\DOCUME~1\Steve\Contacts
2007-06-02 22:43 <DIR> d----c--- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 09:53:56 -------- dc----w C:\Program Files\LimeWire
2007-06-09 02:44:45 -------- dc----w C:\Program Files\Ahead
2007-06-07 04:04:55 -------- dc----w C:\Program Files\PokerStars
2007-06-07 04:01:18 -------- dc----w C:\Program Files\Common Files\Autodesk Shared
2007-06-07 04:00:16 -------- dc----w C:\Program Files\Apple Software Update
2007-05-26 23:01:15 -------- dc----w C:\Program Files\Common Files\Adaptec Shared
2007-05-23 05:17:19 -------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-05-23 05:16:32 -------- dc----w C:\Program Files\Microsoft ActiveSync
2007-05-23 05:16:01 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Juniper Networks
2007-05-22 06:33:58 -------- dc----w C:\Program Files\Winamp
2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 21:04:42 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\MusicIP
2007-05-10 20:28:35 -------- dc----w C:\Program Files\Windows Media Connect 2
2007-05-07 00:27:20 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\acccore
2007-05-07 00:26:53 -------- dc----w C:\Program Files\Common Files\AOL
2007-05-07 00:26:44 -------- dc----w C:\Program Files\Common Files\Nullsoft
2007-05-07 00:26:19 -------- dc----w C:\Program Files\Common Files\aolshare
2007-05-05 04:13:23 -------- dc----w C:\Program Files\Yahoo!
2007-05-05 04:08:26 -------- dc----w C:\DOCUME~1\Steve\APPLIC~1\Aim
2007-05-05 04:08:16 -------- dc----w C:\Program Files\AIM
2007-05-05 04:07:45 -------- dc----w C:\Program Files\AOD
2007-04-25 14:21:15 144,896 -c--a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 -c--a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 -c--a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 -c--a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 -c--a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 04:47 50376 --a--c--- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a--c--- C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk
backup=C:\WINDOWS\pss\Venturi 2.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\caxchg]
C:\WINDOWS\caxchg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1178497581\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
C:\WINDOWS\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 16:10:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-02 16:11:39
C:\ComboFix-quarantined-files.txt ... 2007-07-02 16:11
C:\ComboFix2.txt ... 2007-07-01 19:37
C:\ComboFix3.txt ... 2007-07-01 01:05

--- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
02 July, 2007 7:35:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 3/07/2007
Kaspersky Anti-Virus database records: 334951
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 49217
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:07:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Bluebeam Software\Brewery\V4\Printer Support\BBPDFPortMon.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\cert8.db Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\history.dat Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\key3.db Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\parent.lock Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Steve\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\AOL\UserProfiles\1178497581\smtent316\cls\common.cls Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxtd7g12.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007070220070703\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\hsperfdata_Steve\828 Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\UVU\UVU Media Player\HS_Media_Log_Albums.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ccsvekbe.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP537\A0073321.exe Object is locked skipped
C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP540\A0073989.exe Object is locked skipped
C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP540\A0073991.exe Object is locked skipped
C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP544\A0074247.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP544\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{4B978452-E7AB-438E-AD72-14AAE8961A97}\RP544\change.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 7:37:26 PM, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1178497581\ee\aolsoftware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\common files\aol\1178497581\ee\aim6.exe
c:\program files\common files\aol\1178497581\ee\anotify.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Steve\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1171511507640
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 02 July 2007 - 07:19 PM

Hi,

The log is clean. Kaspersky is reporting only one item which is in a folder and the system restore cache both of which we'll take care of shortly. But, before we do that please let me know how the computer is running now.

#13 smtent379

smtent379
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 July 2007 - 08:30 PM

It seems to be running a little better. I'm not getting the outrageous amount of popups I used to be getting. I haven't been on for long periods yet, but will be the next hour or so.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 PM

Posted 02 July 2007 - 08:35 PM

It seems to be running a little better. I'm not getting the outrageous amount of popups I used to be getting.

Does this mean that you are still getting popups, but not as much? If so, can you tell me what kind of popups you're getting?

#15 smtent379

smtent379
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 July 2007 - 08:40 PM

I haven't gotten anything yet, actually...but when I was running the Kaspersky scan, I kept getting the one box popping up that said McAfee has found a suspect file, and that I should run a virus scan. I've been getting it for about a week now, but whenever I do run a virus scan, it doesn't find anything. It gets kinda annoying. I haven't gotten that yet tonight though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users