Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help - Am I Infected (here Is My Log)


  • This topic is locked This topic is locked
23 replies to this topic

#1 jaf3100

jaf3100

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 04 July 2007 - 10:21 AM

Hi,
I have used various anti viruses (ad aware, bit defender, house call and kaspersky) and now SuperAntiSpyware but I still get reoccurring root viruses when doing scans. I ran McAfee Avert Stinger as well. I also get detected: riskware Mass-mailer software Running process: C:\WINDOWS\Explorer.EXE when doing a scan with Kaspersky Anti Virus.

PLEASE HELP. Here is my HiJackThis Log.


Logfile of HijackThis v1.99.1
Scan saved at 23:11, on 2007-07-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\SONATA~1\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {4E41CB36-6D3A-4FB7-B4CB-9721E2FDDB55} - c:\windows\system32\mipamip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447785234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447780156
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thetradinginstituteevents.webex.com...ent/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: irqgebfn - C:\WINDOWS\SYSTEM32\mipamip.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 09 July 2007 - 04:40 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 09 July 2007 - 07:28 AM

Extra important note, I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled.
Bitdefender and Kaspersky.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.
When you install Kaspersky, it displays very clearly at the beginning of the install that other Antivirus should be removed - So I guess you ignored this warning.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 jaf3100

jaf3100
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 09 July 2007 - 11:07 PM

Here is my combofix and hijackthis log as per request. Miekiemoes I am only running superantispyware now. Thanks for the heads up.




"SONATA TRADING COMPU" - 2007-07-09 23:50:57 - ComboFix 07-07-10.2 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


2007-07-09 00:52 <DIR> d--hs---- C:\RECYCLER
2007-07-08 21:19 <DIR> d--hs---- C:\System Volume Information
2007-07-08 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-07 22:13 165,376 --a------ C:\WINDOWS\system32\drivers\Qrtr69.sys
2007-07-04 19:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-04 19:42 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-04 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-03 23:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-03 23:59 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-03 23:59 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-03 23:59 <DIR> d-------- C:\Program Files\Sygate
2007-07-03 23:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 19:51 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-03 07:24 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 07:22 <DIR> d-------- C:\DOCUME~1\SONATA~1\.housecall6.6
2007-07-03 00:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-03 00:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-02 21:55 <DIR> d-------- C:\35e4e1edbf05decd4b0284e5f5d6
2007-07-01 22:58 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-07-01 22:58 <DIR> d-------- C:\Program Files\Realtek AC97
2007-07-01 22:58 <DIR> d-------- C:\Program Files\AvRack
2007-07-01 22:51 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-07-01 22:49 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-30 15:50 <DIR> d-------- C:\KAV
2007-06-26 21:38 42,496 --a------ C:\WINDOWS\system32\mjkfpese.dll
2007-06-21 01:10 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\Tenebril
2007-06-21 01:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-06-21 01:00 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-06-21 01:00 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-06-21 00:52 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2007-06-21 00:08 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-06-20 23:36 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-06-20 23:35 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-06-20 23:35 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-06-20 23:35 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-06-20 21:50 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\PCToolsFirewallPlus
2007-06-20 21:42 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-06-20 20:25 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-20 17:41 <DIR> d-------- C:\Program Files\FX Solutions
2007-06-19 21:06 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\PC Tools
2007-06-19 20:54 684,567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-19 20:54 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-06-19 20:49 92,672 --a------ C:\WINDOWS\system32\ulgcowrv.dll
2007-06-19 20:49 751,616 --a------ C:\WINDOWS\system32\dptywpme.dll
2007-06-19 20:49 41,472 --a------ C:\WINDOWS\system32\wrbkqwrb.dll
2007-06-19 20:49 122,880 --a------ C:\WINDOWS\system32\voujzoxt.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-10 03:44:52 -------- d-----w C:\Program Files\CyberPower PowerPanel Personal Edition
2007-07-09 04:04:27 -------- d-----w C:\Program Files\Windows NT
2007-07-09 04:04:25 -------- d-----w C:\Program Files\Online Services
2007-07-09 04:04:22 -------- d-----w C:\Program Files\Movie Maker
2007-07-09 04:04:21 -------- d-----w C:\Program Files\Messenger
2007-07-09 04:04:15 -------- d-----w C:\Program Files\Google
2007-07-09 04:04:13 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-07-09 04:03:40 -------- d-----w C:\DOCUME~1\SONATA~1\APPLIC~1\AdobeAUM
2007-07-05 16:31:08 -------- d-----w C:\Program Files\fxsgts
2007-07-02 02:58:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-30 19:37:07 -------- d-----w C:\Program Files\Citrix
2007-06-22 01:00:24 -------- d-----w C:\Program Files\EFX
2007-05-30 03:18:35 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-29 06:43:45 145,152 ----a-w C:\WINDOWS\cbuninstall.exe
2007-05-24 09:32:54 -------- d-----w C:\Program Files\FXDD - MetaTrader 4
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 00:08:59 -------- d-----w C:\Program Files\NVIDIA Corporation
2007-05-10 00:08:59 -------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-06-05 02:06:11 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 16:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 19:46]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 15:01]
"Protect"="SHVRTF.EXE" [2005-06-15 18:29 C:\WINDOWS\system32\SHVRTF.EXE]
"MediaLifeService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-13 00:23]
"Iomega Startup Options"="C:\Program Files\Iomega\Common\ImgStart.exe" [2000-06-02 13:57]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2000-06-13 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-21 20:39]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 19:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-31 05:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-05-03 09:10]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-19 20:51]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 05:24]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-10-24 10:26]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command-


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 23:51:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 23:51:58
C:\ComboFix-quarantined-files.txt ... 2007-07-09 23:51
C:\ComboFix2.txt ... 2007-07-09 23:12

--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 11:53:31 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\SONATA~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447785234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447780156
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thetradinginstituteevents.webex.com...ent/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 10 July 2007 - 12:07 PM

Hi,

I have merged your thread because you started a new topic instead of replying here. Please use the ADDReply button below if you want to answer. Don't start a new thread, because I won't get a notification if you start a new thread.

Miekiemoes I am only running superantispyware now. Thanks for the heads up.

Please reinstall an Antivirus again. You weren't supposed to uninstall all. You were supposed to uninstall the extra ones and keep one Antivirus present.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\mjkfpese.dll
C:\WINDOWS\system32\ulgcowrv.dll
C:\WINDOWS\system32\dptywpme.dll
C:\WINDOWS\system32\wrbkqwrb.dll
C:\WINDOWS\system32\voujzoxt.dll

Suspect::
C:\WINDOWS\system32\drivers\Qrtr69.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Also, please post the C:\ComboFix-quarantined-files.txt in your next reply as well.

Also, a file submit[date].zip will be created on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to the submit[date].zip present on your desktop.

Select it and click ok:
Then click the Send File button below.

Edited by miekiemoes, 10 July 2007 - 12:07 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 jaf3100

jaf3100
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 10 July 2007 - 10:36 PM

Miekiemoes,
I reinstalled BitDefender antivirus.

Here is the combofix text log as well as the combofix-quarantined-files text and a new hijackthislog.


"SONATA TRADING COMPU" - 2007-07-10 23:19:54 - ComboFix 07-07-10.2 - Service Pack 2
Command switches used :: C:\Documents and Settings\SONATA TRADING COMPU\Desktop\CFScript.txt


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-10 20:08 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\Bitdefender
2007-07-10 19:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-07-09 00:52 <DIR> d--hs---- C:\RECYCLER
2007-07-08 21:19 <DIR> d--hs---- C:\System Volume Information
2007-07-08 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-07 22:13 165,376 --a------ C:\WINDOWS\system32\drivers\Qrtr69.sys
2007-07-04 19:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-04 19:42 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-04 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-03 23:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-03 23:59 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-03 23:59 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-03 23:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-03 23:59 <DIR> d-------- C:\Program Files\Sygate
2007-07-03 23:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 19:51 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-03 07:24 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 07:22 <DIR> d-------- C:\DOCUME~1\SONATA~1\.housecall6.6
2007-07-03 00:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-03 00:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-02 21:55 <DIR> d-------- C:\35e4e1edbf05decd4b0284e5f5d6
2007-07-01 22:58 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-07-01 22:58 <DIR> d-------- C:\Program Files\Realtek AC97
2007-07-01 22:58 <DIR> d-------- C:\Program Files\AvRack
2007-07-01 22:51 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-07-01 22:49 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-30 15:50 <DIR> d-------- C:\KAV
2007-06-21 01:10 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\Tenebril
2007-06-21 01:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-06-21 01:00 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-06-21 01:00 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-06-21 00:52 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2007-06-21 00:08 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-06-20 23:36 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-06-20 23:35 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-06-20 23:35 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-06-20 23:35 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-06-20 21:50 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\PCToolsFirewallPlus
2007-06-20 20:25 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-20 17:41 <DIR> d-------- C:\Program Files\FX Solutions
2007-06-19 21:06 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\PC Tools
2007-06-19 20:54 684,567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-19 20:54 147,729 --a------ C:\WINDOWS\system32\libssl32.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 02:59:09 -------- d-----w C:\Program Files\CyberPower PowerPanel Personal Edition
2007-07-10 08:55:45 -------- d-----w C:\Program Files\fxsgts
2007-07-09 04:04:27 -------- d-----w C:\Program Files\Windows NT
2007-07-09 04:04:25 -------- d-----w C:\Program Files\Online Services
2007-07-09 04:04:22 -------- d-----w C:\Program Files\Movie Maker
2007-07-09 04:04:21 -------- d-----w C:\Program Files\Messenger
2007-07-09 04:04:15 -------- d-----w C:\Program Files\Google
2007-07-09 04:04:13 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-07-09 04:03:40 -------- d-----w C:\DOCUME~1\SONATA~1\APPLIC~1\AdobeAUM
2007-07-02 02:58:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-30 19:37:07 -------- d-----w C:\Program Files\Citrix
2007-06-22 01:00:24 -------- d-----w C:\Program Files\EFX
2007-05-30 03:18:35 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-29 06:43:45 145,152 ----a-w C:\WINDOWS\cbuninstall.exe
2007-05-24 09:32:54 -------- d-----w C:\Program Files\FXDD - MetaTrader 4
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-06-05 02:06:11 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 16:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 19:46]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 15:01]
"Protect"="SHVRTF.EXE" [2005-06-15 18:29 C:\WINDOWS\system32\SHVRTF.EXE]
"MediaLifeService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-13 00:23]
"Iomega Startup Options"="C:\Program Files\Iomega\Common\ImgStart.exe" [2000-06-02 13:57]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2000-06-13 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-21 20:39]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 19:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-31 05:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-05-03 09:10]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-07-10 20:39]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-19 20:51]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 05:24]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-10-24 10:26]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command-


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 23:20:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [10428] 0x887403D0


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 23:20:51
C:\ComboFix-quarantined-files.txt ... 2007-07-10 23:20
C:\ComboFix2.txt ... 2007-07-10 23:15
C:\ComboFix3.txt ... 2007-07-10 23:06

--- E O F ---





2007-06-19 20:38	  12416	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\zzoakgmr.sys.vir
2007-06-28 21:49	  42496	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mjkfpese.dll.vir
2007-07-02 20:25	  159744	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Lifa34.sys.vir
2007-07-05 21:20	  74752	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mipamip.dll.bak.vir
2007-07-07 22:19	  122880	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\voujzoxt.dll.vir
2007-07-09 22:46	  41472	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wrbkqwrb.dll.vir
2007-07-09 22:46	  74240	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mipamip.dll.vir
2007-07-09 22:46	  751616	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\dptywpme.dll.vir
2007-07-09 23:10	  1024	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_LIFA34.reg.cf
2007-07-09 23:10	  1146	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_QJWQIBAF.reg.cf
2007-07-09 23:10	  1248	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_QRTR69.reg.cf
2007-07-09 23:10	  1308	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WCVJZUXO.reg.cf
2007-07-09 23:10	  151999	--a------	C:\Qoobox\Quarantine\catchme2007-07-09_231214.64.zip
2007-07-09 23:10	  2284	--a------	C:\Qoobox\Quarantine\Registry_backups\services_qjwqibaf.reg.cf
2007-07-09 23:10	  236	--a------	C:\Qoobox\Quarantine\Registry_backups\services_LIFA34.reg.cf
2007-07-09 23:10	  270	--a------	C:\Qoobox\Quarantine\Registry_backups\services_RpcApi.reg.cf
2007-07-09 23:10	  501	--a------	C:\Qoobox\Quarantine\catchme.log
2007-07-09 23:10	  7928	--a------	C:\Qoobox\Quarantine\Registry_backups\services_wcvjzuxo.reg.cf


Folder PATH listing
Volume serial number is 94D5-038E
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-07-09_231214.64.zip
	|   
	+---C
	|   \---WINDOWS
	|	   \---system32
	|		   |   dptywpme.dll.vir
	|		   |   mipamip.dll.bak.vir
	|		   |   mipamip.dll.vir
	|		   |   mjkfpese.dll.vir
	|		   |   voujzoxt.dll.vir
	|		   |   wrbkqwrb.dll.vir
	|		   |   
	|		   \---drivers
	|				   Lifa34.sys.vir
	|				   zzoakgmr.sys.vir
	|				   
	\---Registry_backups
			LEGACY_LIFA34.reg.cf
			LEGACY_QJWQIBAF.reg.cf
			LEGACY_QRTR69.reg.cf
			LEGACY_WCVJZUXO.reg.cf
			services_LIFA34.reg.cf
			services_qjwqibaf.reg.cf
			services_RpcApi.reg.cf
			services_wcvjzuxo.reg.cf







Logfile of HijackThis v1.99.1
Scan saved at 11:27:07 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\SONATA~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447785234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447780156
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thetradinginstituteevents.webex.com...ent/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe




I just submitted the submit[date].zip file as per your request at 11:34pm EST.

Thanks.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 11 July 2007 - 02:41 AM

Hi,

Navigate to and delete next file and folder:

C:\WINDOWS\system32\drivers\Qrtr69.sys <== file
C:\Qoobox <== folder

Then, as a final check..
* Download reglooks from here and save it to your desktop.
Doubleclick reglooks.exe and wait until a logfile appears.
The log will be called result.txt.
Copy and paste the contents of this log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 jaf3100

jaf3100
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 11 July 2007 - 06:05 AM

Miekiemoes,
I deleted those folders and files as stated. Here is my reglooks text log. (Question: I chose bitdefender anitvirus because when I used Kaspersky anti virus it found that I have detected: riskware Mass-mailer software Running process: C:\WINDOWS\Explorer.EXE. and could not get rid of this. Is it now gone?)






REGLOOKS logfile

version 0.971
Wed 07/11/2007 6:56:16.67
running from: "C:\Documents and Settings\SONATA TRADING COMPU\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"="sockspy.dll"


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"AtiExtEvent" "DLLName"="Ati2evxx.dll"


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""


--- AUTORUN regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Protect"="SHVRTF.EXE"
"MediaLifeService"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"mmtask"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"BDAgent"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""
[run\OptionalComponents]
[run\OptionalComponents\IMAIL]
"Installed"="1"
[run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[run\OptionalComponents\MSFS]
"Installed"="1"


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PowerPanel Personal Edition User Interaction"="\"C:\\Program Files\\CyberPower PowerPanel Personal Edition\\pppeuser.exe\""
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
regkey does not exist


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKU\.DEFAULT\Run regkeys ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\.DEFAULT\Run keys found


--- HKU\S-1-5-18\Run regkeys ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-18\Run keys found


--- HKU\S-1-5-19\Run regkeys ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regkey does not exist


--- HKU\S-1-5-20\Run regkeys ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regkey does not exist


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKCU Explorer\Run keys found


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" regkey not found (ERROR)
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\ssv.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
"{327C2873-E90D-4c37-AA9D-10AC9BABA46C}" FILE ="C:\\Program Files\\Canon\\Easy-WebPrint\\Toolband.dll"


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
System Reserved


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
System Reserved


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aksusb
"DisplayName"="Aladdin USB Key"
system32\DRIVERS\aksusb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALCXWDM
"DisplayName"="Service for Realtek AC97 Audio (WDM)"
system32\drivers\ALCXWDM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller
%SystemRoot%\system32\Ati2evxx.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati2mtag
system32\DRIVERS\ati2mtag.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Atierecord
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AWG60
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdfdll
"DisplayName"="bdfdll"
\??\C:\Program Files\Softwin\BitDefender10\bdfdll.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BDFSDRV
"DisplayName"="BDFSDRV"
\??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdpredir
"DisplayName"="bdpredir"
\??\C:\Program Files\Softwin\BitDefender10\bdpredir.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BDRSDRV
"DisplayName"="BDRSDRV"
\??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bdss
"DisplayName"="BitDefender Scan Server"
"C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme
\??\C:\DOCUME~1\SONATA~1\LOCALS~1\Temp\catchme.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrbsdrv
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EUCR
"DisplayName"="ENE USB Mass Storage"
system32\DRIVERS\EUCR6SK.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameenum
"DisplayName"="Game Port Enumerator"
system32\DRIVERS\gameenum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GPHK58
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidBatt
"DisplayName"="HID UPS Battery Driver"
system32\DRIVERS\HidBatt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidUsb
"DisplayName"="Microsoft HID Class Driver"
system32\DRIVERS\hidusb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InCDPass
"DisplayName"="InCDPass"
System32\DRIVERS\InCDPass.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InCDrec
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\incdrm
"DisplayName"="InCD Reader"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InCDsrv
"DisplayName"="InCD Helper"
C:\Program Files\Ahead\InCD\InCDsrv.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InCDsrvR
"DisplayName"="InCD Helper (read only)"
C:\Program Files\Ahead\InCD\InCDsrv.exe -r

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IomegaAccess
"DisplayName"="IomegaAccess"
C:\WINDOWS\system32\IomegaAccess.exe /S

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\L8042Kbd
"DisplayName"="Logitech SetPoint Keyboard Driver"
system32\DRIVERS\L8042Kbd.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\L8042mou
"DisplayName"="Logitech SetPoint PS/2 Mouse Filter Driver"
system32\DRIVERS\L8042mou.Sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LHidKe
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LightScribeService
"DisplayName"="LightScribeService Direct Disc Labeling Service"
"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LIVESRV
"DisplayName"="BitDefender Desktop Update Service"
"C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMouKE
"DisplayName"="Logitech SetPoint Mouse Filter Driver"
system32\DRIVERS\LMouKE.Sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ms_mpu401
"DisplayName"="Microsoft MPU-401 MIDI UART Driver"
system32\drivers\msmpu401.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTsensor
"DisplayName"="ATK0110 ACPI UTILITY"
system32\DRIVERS\ASACPI.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ppped
"DisplayName"="PowerPanel Personal Edition Service"
"C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PxHelp20
"DisplayName"="PxHelp20"
System32\Drivers\PxHelp20.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
"DisplayName"="Remote Registry"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV
"DisplayName"="SASDIFSV"
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM
"DisplayName"="SASENUM"
\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL
"DisplayName"="SASKUTIL"
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCDU39
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\serenum
"DisplayName"="Serenum Filter Driver"
system32\DRIVERS\serenum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService
"DisplayName"="Sygate Personal Firewall"
C:\Program Files\Sygate\SPF\smc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer
"DisplayName"="Teefer for NT"
SYSTEM32\Drivers\Teefer.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcomm
"DisplayName"="tmcomm"
\??\C:\WINDOWS\system32\drivers\tmcomm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdf
"DisplayName"="Windows User Mode Driver Framework"
C:\WINDOWS\system32\wdfmgr.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbaudio
"DisplayName"="USB Audio Driver (WDM)"
system32\drivers\usbaudio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp
"DisplayName"="Microsoft USB Generic Parent Driver"
system32\DRIVERS\usbccgp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbohci
"DisplayName"="Microsoft USB Open Host Controller Miniport Driver"
system32\DRIVERS\usbohci.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint
"DisplayName"="Microsoft USB PRINTER Class"
system32\DRIVERS\usbprint.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbscan
"DisplayName"="USB Scanner Driver"
system32\DRIVERS\usbscan.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wg3n
"DisplayName"="SyGate for NT, wg3n"
\SystemRoot\SYSTEM32\Drivers\wg3n.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wg4n
"DisplayName"="SyGate for NT, wg4n"
\SystemRoot\SYSTEM32\Drivers\wg4n.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wg5n
"DisplayName"="SyGate for NT, wg5n"
\SystemRoot\SYSTEM32\Drivers\wg5n.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wg6n
"DisplayName"="SyGate for NT, wg6n"
\SystemRoot\SYSTEM32\Drivers\wg6n.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi
"DisplayName"="Windows Management Instrumentation Driver Extensions"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpsdrvnt
"DisplayName"="wpsdrvnt"
\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XCOMM
"DisplayName"="BitDefender Communicator"
"C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yukonwxp
"DisplayName"="NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller"
system32\DRIVERS\yk51x86.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZipToA
"DisplayName"="ZipToA"
C:\WINDOWS\system32\ZipToA.exe /S

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{D757057F-B38E-49F4-A67F-97559F377518}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{EA31FAD7-5B05-451B-946C-46CF2261D298}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{F86395F0-B942-448B-80C5-FFDBBB692B2E}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HTTPFilter: HTTPFilter\0\0
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0\0\0
DcomLaunch: DcomLaunch\0TermService\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- STARTUP FOLDERS ---

C:\Documents and Settings\SONATA TRADING COMPU\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk


--- TASK SCHEDULER JOBS ---

no .job files found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


FINISHED

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 11 July 2007 - 06:33 AM

Hi,

Everything is looking OK here..

I chose bitdefender anitvirus because when I used Kaspersky anti virus it found that I have detected: riskware Mass-mailer software Running process: C:\WINDOWS\Explorer.EXE. and could not get rid of this. Is it now gone?

Yes, it should be gone. It wasn't your Explorer.exe which was infected but a dll injected into explorer.exe which was responsible for this. The dll is gone now as Combofix already deleted it previously.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 jaf3100

jaf3100
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 11 July 2007 - 05:02 PM

Miekiemoes,
The only other thing now that I notice as I boot up the computer is that New Hardware window pops up now saying that PCTools Driver #3 not installed. What is that? Do I need this? If not how do I get rid of it?

Also, I am running Sygate firewall and on boot up a window pops up regarding accepting or denying Windows Genuine Advantage Notification (WgaTray.exe). I do not accept it. What do I do with this?

Let me know. Thanks for the help.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 11 July 2007 - 05:12 PM

The PCTools error is related with your PCToolsFirewall Plus you have installed as I see from your Combofix log:

2007-06-20 21:50 <DIR> d-------- C:\DOCUME~1\SONATA~1\APPLIC~1\PCToolsFirewallPlus
2007-06-20 21:42 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus

Actually, you already have Sygate installed as well, so please uninstall the PC Tools Firewall Plus as more than 1 firewall installed may cause a lot of problems.

Also, I am running Sygate firewall and on boot up a window pops up regarding accepting or denying Windows Genuine Advantage Notification (WgaTray.exe). I do not accept it. What do I do with this?

Accept it. It's related with the Windows Genuine Advantage Notification.
More info here: http://support.microsoft.com/kb/905474
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 jaf3100

jaf3100
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 11 July 2007 - 05:45 PM

Miekiemoes,
I can not find the file under programs. I deleted it a few days ago. I did a file search for "pc tools" and came up with this below:

combofix.txt
combofix2.txt
combfix3.txt
Firewallplus2uninstall.log
setup.inf
scanlog.txt
collecteddata_6133.xml
collecteddata_6135.xml
collecteddata_6163.xml
collecteddata_6165.xml
collecteddata_6373.xml
collecteddata_6375.xml

I tried going to device manager and right clicking on it and choosing uninstall but I get a box that says 'failed to uninstall this device. this device may be required to boot up the computer'.

How do I get rid of it?

Also, Sygate firewall just poped up with a box that says NT Kernel_System has changed since the last time you used it. File path is:
C:\WINDOWS\system32\ntoskrnl.exe? Do I allow this or not?

Thanks again.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 11 July 2007 - 06:02 PM

Hi,

For your PCTools Firewall Plus, it may be better to post this issue at PCTools forum here:
http://www.pctools.com/forum/forumdisplay.php?f=30

Looks like more people are having this problem:
http://www.pctools.com/forum/showthread.php?t=45528
http://www.pctools.com/forum/showthread.php?t=46104

But as I said, better to post there since they are the experts and know exactly what to remove as your version may be different with the above ones.

Also, Sygate firewall just poped up with a box that says NT Kernel_System has changed since the last time you used it. File path is:
C:\WINDOWS\system32\ntoskrnl.exe? Do I allow this or not?

Yes, allow it. You'll get such messages frequently after you have updated your Windows for example.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 jaf3100

jaf3100
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 11 July 2007 - 07:19 PM

miekiemoes,
Thanks I will check out those links for help with deleting pctools firewall.

The only other problem I have is when I click on a link like the 3 you just posted I get 2 internet explorer windows that pop open? One displaying the link and another internet explorer window that is blank just a white page and no url or anything? How do I fix this?

Can I delete reglooks.exe, combofix.exe and hijackthis.zip files or is it alright to keep them on the desktop?

Thanks.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:49 AM

Posted 12 July 2007 - 12:42 AM

Hi,

The only other problem I have is when I click on a link like the 3 you just posted I get 2 internet explorer windows that pop open? One displaying the link and another internet explorer window that is blank just a white page and no url or anything? How do I fix this?

Try next..

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window_Placement"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"ITBarLayout"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Can I delete reglooks.exe, combofix.exe and hijackthis.zip files or is it alright to keep them on the desktop?

Yes, delete them. :thumbsup:

And glad I could help. :flowers:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users