Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Music Playing On My Computer


  • This topic is locked This topic is locked
21 replies to this topic

#1 MobysFan

MobysFan

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 11 July 2007 - 03:57 PM

My computer started doing something weird today when I got home. When I got online I could hear music and people talking in the background. I also am being overwhelmed with pop-ups. I ran all the scans and cme up with quite a few, deleted all those and ran hijackthis. I have posted the HJT log below. Can someone please help me figure out this problem???


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:31 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\oevuhgyA.exe
C:\WINDOWS\retadpu1000106.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mary\Desktop\stinger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vdbfxyt.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [oevuhgyA] C:\WINDOWS\oevuhgyA.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{BB-B7-7F-F0-ZN}] c:\windows\system32\dwdsregt.exe SKY009
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Admin comp] C:\DOCUME~1\Mary\APPLIC~1\DEADDE~1\Media New Tray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Policies\Explorer\Run: [{9C3BB7F0-0C78-1033-1123-040405120001}] "C:\Program Files\Common Files\{9C3BB7F0-0C78-1033-1123-040405120001}\Update.exe" mc-110-12-0000140
O4 - Startup: TA_Start.lnk = C:\WINDOWS\jclrk0578.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161449025265
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9175 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 11:16 AM

Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Perform next instructions in the right order..

I see you have the NeoPets toolbar installed. This Toolbar has a questionable reputation, so that's why I recommend you uninstall it.

Then,
* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 12:22 PM

I followed the instructions in the post and here are my combofix and HJT logs.

"Mary" - 2007-07-17 13:15:34 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-17 12:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-17 08:13 49,152 --a------ C:\WINDOWS\TISKY009.exe
2007-07-17 08:13 <DIR> d-------- C:\WINDOWS\system32\Z11
2007-07-17 08:13 <DIR> d-------- C:\WINDOWS\system32\b10FdUe
2007-07-17 00:10 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr
2007-07-17 00:10 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts
2007-07-17 00:09 <DIR> d-------- C:\Program Files\MyWebSearch
2007-07-17 00:09 <DIR> d-------- C:\Program Files\FunWebProducts
2007-07-14 20:00 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Ahead
2007-07-14 00:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-13 19:04 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\IMVU
2007-07-13 16:47 32,760 --a------ C:\WINDOWS\b104.exe.bin
2007-07-11 17:52 <DIR> d-------- C:\Program Files\Neopets
2007-07-11 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-11 16:45 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-11 15:44 54,784 --a------ C:\WINDOWS\oevuhgy.exe
2007-07-11 15:44 1,126,352 -r-hs---- C:\WINDOWS\oevuhgyA.exe
2007-07-11 15:44 <DIR> d-------- C:\WINDOWS\system32\driver
2007-07-11 15:44 <DIR> d-------- C:\WINDOWS\system32\b02FdUe
2007-07-11 06:29 22,016 --a------ C:\WINDOWS\b138.exe
2007-07-07 01:14 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-07-07 01:07 <DIR> d-------- C:\Program Files\Nero
2007-07-07 01:07 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-26 14:52 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\EA
2007-06-26 14:51 <DIR> d-------- C:\Program Files\Harvest Mania To Go
2007-06-24 20:27 17,664 --a------ C:\WINDOWS\system32\drivers\ppa3.sys
2007-06-24 20:26 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Active Disk
2007-06-24 20:24 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-24 20:23 <DIR> d-------- C:\Program Files\Iomega
2007-06-22 09:04 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Sandlot Games
2007-06-22 08:22 <DIR> d-------- C:\Program Files\Burger Island
2007-06-22 08:22 <DIR> d-------- C:\Program Files\Birdies


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 04:01:57 -------- d-----w C:\Program Files\MySpace
2007-07-11 21:52:47 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Neopets Toolbar
2007-07-11 21:51:24 -------- d-----w C:\Program Files\Google
2007-07-10 11:41:26 -------- d-----w C:\Program Files\World of Warcraft
2007-07-07 23:12:32 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Creative
2007-06-23 02:28:09 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Paltalk
2007-06-12 12:43:06 -------- d-----w C:\Program Files\Nanny Mania
2007-06-08 02:46:53 -------- d-----w C:\Program Files\Alice Greenfingers
2007-06-05 13:07:22 -------- d-----w C:\Program Files\Happy Hour
2007-06-05 13:07:04 -------- d-----w C:\Program Files\Sushi Frenzy
2007-06-05 12:21:20 -------- d-----w C:\Program Files\Sheeplings
2007-05-24 19:23:51 -------- d-----w C:\Program Files\Paltalk Messenger
2007-05-24 19:16:57 -------- d-----w C:\Program Files\Virtual Villagers 2
2007-05-24 19:16:17 -------- d-----w C:\Program Files\The Wonderful Wizard Of Oz
2007-05-24 19:16:12 -------- d-----w C:\Program Files\The Rise Of Atlantis
2007-05-24 19:16:00 -------- d-----w C:\Program Files\Recyclorama
2007-05-24 19:15:53 -------- d-----w C:\Program Files\Rainbow Mystery
2007-05-24 19:15:41 -------- d-----w C:\Program Files\Monarch The Butterfly King
2007-05-24 19:15:33 -------- d-----w C:\Program Files\Magic Academy
2007-05-24 19:15:24 -------- d-----w C:\Program Files\Little Shop Of Treasures
2007-05-24 19:15:13 -------- d-----w C:\Program Files\LEGO Chic Boutique
2007-05-24 19:15:05 -------- d-----w C:\Program Files\Grimms Hatchery
2007-05-24 19:14:54 -------- d-----w C:\Program Files\Flower Shop Big City Break
2007-05-24 19:14:27 -------- d-----w C:\Program Files\e-Sword
2007-05-24 19:14:07 -------- d-----w C:\Program Files\Diner Dash Flo On The Go
2007-05-24 19:13:57 -------- d-----w C:\Program Files\Cathys Caribbean Club
2007-05-24 19:13:52 -------- d-----w C:\Program Files\Candy Can
2007-05-24 19:13:47 -------- d-----w C:\Program Files\Burger Rush
2007-05-24 19:13:34 -------- d-----w C:\Program Files\Believe In Santa
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 19:53:07 26,262,224 ----a-w C:\Program Files\LittleShopOfTreasuresSetup.exe
2007-04-12 19:28:49 18,922,054 ----a-w C:\Program Files\MagicAcademySetup.exe
2007-04-12 19:01:56 13,391,291 ----a-w C:\Program Files\CandyCanSetup.exe
2007-04-11 19:43:35 19,061,111 ----a-w C:\Program Files\TheRiseOfAtlantisSetup.exe
2007-04-09 20:43:30 18,498,594 ----a-w C:\Program Files\CathysCaribbeanClubSetup.exe
2007-04-09 20:42:50 18,177,470 ----a-w C:\Program Files\BurgerRushSetup.exe
2007-04-04 00:12:10 13,817,440 ----a-w C:\Program Files\bitdefender_free_v8.exe
2007-04-04 00:04:07 1,144,839 ----a-w C:\Program Files\stng260.exe
2007-04-03 21:00:43 67,072 ----a-w C:\Program Files\STOPzilla_Setup.exe
2007-04-02 01:41:54 35,992 ----a-w C:\DOCUME~1\Mary\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-29 20:06:06 18,267,006 ----a-w C:\Program Files\MonarchSetup.exe
2007-03-17 17:25:25 29,938,599 ----a-w C:\Program Files\VirtualVillagers2Setup.exe
2007-01-03 02:43:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-04-27 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-08-13 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 16:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-07-11 17:51 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD292324-974F-4224-D074-CACA427AA030}]
2007-01-08 18:28 640552 --a------ C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"My Web Search Bar"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL" [2007-07-17 00:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [2007-07-17 00:09]
"My Web Search Community Tools"="C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe" [2007-07-17 00:09]
"Sen"="C:\WINDOWS\system32\YMANTE~1\winspool.exe" []
"Uybfyruu"="C:\WINDOWS\system32\F?nts\c?rss.exe" []
"SfKg6w"="C:\Documents and Settings\Mary\Application Data\Microsoft\Windows\bwvvqv.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 10:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin comp]
C:\DOCUME~1\Mary\APPLIC~1\DEADDE~1\Media New Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
"C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
"C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMFibula]
"C:\Program Files\CMFibula\CMFibula.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\qwinopdt.exe SKY009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\rhqcjwfy.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDream]
"C:\Program Files\PSDream\PSDream.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swhkynrA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{BB-B7-7F-F0-ZN}]
c:\windows\system32\ondsregm.exe SKY009

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-14 11:14:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-17 17:00:02 C:\WINDOWS\tasks\B7BF95F985901505.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 13:16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\icwcache.dll
C:\WINDOWS\system32\tftpsvr.exe
C:\WINDOWS\system32\dbg32.dll
C:\WINDOWS\system32\drivers\rootmd2k.sys
C:\WINDOWS\system32\drivers\irenumnt.sys
C:\WINDOWS\system32\drivers\dxgex.sys

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dxgex]
"ImagePath"="system32\drivers\dxgex.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\irenumnt]
"ImagePath"="system32\drivers\irenumnt.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\rootmd2k]
"ImagePath"="system32\drivers\rootmd2k.sys"

Completion time: 2007-07-17 13:16:57
C:\ComboFix-quarantined-files.txt ... 2007-07-17 13:16

--- E O F ---







HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:35 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - (no file)
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\system32\YMANTE~1\winspool.exe" -vt yazb
O4 - HKCU\..\Run: [Uybfyruu] C:\WINDOWS\system32\F?nts\c?rss.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Mary\Application Data\Microsoft\Windows\bwvvqv.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm086MFUS
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161449025265
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6653 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 12:46 PM

Hi,

How long is your system already infected? Because as far as I can see, I see leftovers from infections present from more than 1 year ago :thumbsup:
Why did you disable your Bitdefender from Msconfig? No wonder this system is so terribly infected, because your Antivirus is disabled.
Please enable it again. If there's any other reason why you disabled it (because it wasn't working properly or wasn't able to update anymore etc.. ) please let me know, because you are supposed to have a full working Antivirus on your system and not one which is disabled or not working properly.

I also really hope you have backed up your important data first as I already posted in my previous post, because you have some very nasty infections present here which causes a system VERY instable and because of that, removaltools may not function properly..
These infections damage A LOT and may cause systems unbootable - so that's why it's so important to backup your important data first.
So if you haven't done this before, backup your important data first before proceeding with next steps...

Then,

Uninstall MyWebsearch via start > add/remove programs.
I also see you didn't uninstall the Neopets Toolbar. I asked you this with a reason, because it has a questionable reputation and spies on you.
Reboot afterwards.
After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\tasks\B7BF95F985901505.job
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\oevuhgy.exe
C:\WINDOWS\oevuhgyA.exe
C:\WINDOWS\b138.exe

Collect::
C:\WINDOWS\system32\icwcache.dll
C:\WINDOWS\system32\tftpsvr.exe
C:\WINDOWS\system32\dbg32.dll
C:\WINDOWS\system32\drivers\rootmd2k.sys
C:\WINDOWS\system32\drivers\irenumnt.sys
C:\WINDOWS\system32\drivers\dxgex.sys

Folder::
C:\DOCUME~1\Mary\APPLIC~1\DEADDE~1
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\b02FdUe
C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\b10FdUe

Driver::
dxgex
irenumnt
rootmd2k

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD292324-974F-4224-D074-CACA427AA030}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"=-
"My Web Search Community Tools"=-
"Sen"=-
"Uybfyruu"=-
"SfKg6w"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin comp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMFibula]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDream]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swhkynrA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{BB-B7-7F-F0-ZN}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
It will also create a file on your desktop with the name submit[date].zip.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to the submit[date].zip

Select it and click ok.
Then click the Send File button below.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 02:33 PM

I just started having these problems recently. The computer I am having problems with hasn't been used in awhile, thats probbaly why there are old infections on it. I enabled bitdefender again and followed the rest of the instructions. Here are my results.


"Mary" - 2007-07-17 15:23:38 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-17 12:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-17 08:13 49,152 --a------ C:\WINDOWS\TISKY009.exe
2007-07-17 08:13 <DIR> d-------- C:\WINDOWS\system32\Z11
2007-07-17 08:13 <DIR> d-------- C:\WINDOWS\system32\b10FdUe
2007-07-17 00:10 <DIR> d-a------ C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts
2007-07-17 00:09 <DIR> d-a------ C:\Program Files\FunWebProducts
2007-07-17 00:09 <DIR> d-------- C:\Program Files\MyWebSearch
2007-07-14 20:00 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Ahead
2007-07-14 00:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-13 19:04 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\IMVU
2007-07-13 16:47 32,760 --a------ C:\WINDOWS\b104.exe.bin
2007-07-11 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-11 16:45 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-11 15:44 54,784 --a------ C:\WINDOWS\oevuhgy.exe
2007-07-11 15:44 1,126,352 -r-hs---- C:\WINDOWS\oevuhgyA.exe
2007-07-11 15:44 <DIR> d-------- C:\WINDOWS\system32\driver
2007-07-11 15:44 <DIR> d-------- C:\WINDOWS\system32\b02FdUe
2007-07-11 06:29 22,016 --a------ C:\WINDOWS\b138.exe
2007-07-07 01:14 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-07-07 01:07 <DIR> d-------- C:\Program Files\Nero
2007-07-07 01:07 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-26 14:52 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\EA
2007-06-26 14:51 <DIR> d-------- C:\Program Files\Harvest Mania To Go
2007-06-24 20:27 17,664 --a------ C:\WINDOWS\system32\drivers\ppa3.sys
2007-06-24 20:26 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Active Disk
2007-06-24 20:24 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-24 20:23 <DIR> d-------- C:\Program Files\Iomega
2007-06-22 09:04 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Sandlot Games
2007-06-22 08:22 <DIR> d-------- C:\Program Files\Burger Island
2007-06-22 08:22 <DIR> d-------- C:\Program Files\Birdies


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 18:02:39 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Neopets Toolbar
2007-07-17 04:01:57 -------- d-----w C:\Program Files\MySpace
2007-07-11 21:51:24 -------- d-----w C:\Program Files\Google
2007-07-10 11:41:26 -------- d-----w C:\Program Files\World of Warcraft
2007-07-07 23:12:32 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Creative
2007-06-23 02:28:09 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Paltalk
2007-06-12 12:43:06 -------- d-----w C:\Program Files\Nanny Mania
2007-06-08 02:46:53 -------- d-----w C:\Program Files\Alice Greenfingers
2007-06-05 13:07:22 -------- d-----w C:\Program Files\Happy Hour
2007-06-05 13:07:04 -------- d-----w C:\Program Files\Sushi Frenzy
2007-06-05 12:21:20 -------- d-----w C:\Program Files\Sheeplings
2007-05-24 19:23:51 -------- d-----w C:\Program Files\Paltalk Messenger
2007-05-24 19:16:57 -------- d-----w C:\Program Files\Virtual Villagers 2
2007-05-24 19:16:17 -------- d-----w C:\Program Files\The Wonderful Wizard Of Oz
2007-05-24 19:16:12 -------- d-----w C:\Program Files\The Rise Of Atlantis
2007-05-24 19:16:00 -------- d-----w C:\Program Files\Recyclorama
2007-05-24 19:15:53 -------- d-----w C:\Program Files\Rainbow Mystery
2007-05-24 19:15:41 -------- d-----w C:\Program Files\Monarch The Butterfly King
2007-05-24 19:15:33 -------- d-----w C:\Program Files\Magic Academy
2007-05-24 19:15:24 -------- d-----w C:\Program Files\Little Shop Of Treasures
2007-05-24 19:15:13 -------- d-----w C:\Program Files\LEGO Chic Boutique
2007-05-24 19:15:05 -------- d-----w C:\Program Files\Grimms Hatchery
2007-05-24 19:14:54 -------- d-----w C:\Program Files\Flower Shop Big City Break
2007-05-24 19:14:27 -------- d-----w C:\Program Files\e-Sword
2007-05-24 19:14:07 -------- d-----w C:\Program Files\Diner Dash Flo On The Go
2007-05-24 19:13:57 -------- d-----w C:\Program Files\Cathys Caribbean Club
2007-05-24 19:13:52 -------- d-----w C:\Program Files\Candy Can
2007-05-24 19:13:47 -------- d-----w C:\Program Files\Burger Rush
2007-05-24 19:13:34 -------- d-----w C:\Program Files\Believe In Santa
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 19:53:07 26,262,224 ----a-w C:\Program Files\LittleShopOfTreasuresSetup.exe
2007-04-12 19:28:49 18,922,054 ----a-w C:\Program Files\MagicAcademySetup.exe
2007-04-12 19:01:56 13,391,291 ----a-w C:\Program Files\CandyCanSetup.exe
2007-04-11 19:43:35 19,061,111 ----a-w C:\Program Files\TheRiseOfAtlantisSetup.exe
2007-04-09 20:43:30 18,498,594 ----a-w C:\Program Files\CathysCaribbeanClubSetup.exe
2007-04-09 20:42:50 18,177,470 ----a-w C:\Program Files\BurgerRushSetup.exe
2007-04-04 00:12:10 13,817,440 ----a-w C:\Program Files\bitdefender_free_v8.exe
2007-04-04 00:04:07 1,144,839 ----a-w C:\Program Files\stng260.exe
2007-04-03 21:00:43 67,072 ----a-w C:\Program Files\STOPzilla_Setup.exe
2007-04-02 01:41:54 35,992 ----a-w C:\DOCUME~1\Mary\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-29 20:06:06 18,267,006 ----a-w C:\Program Files\MonarchSetup.exe
2007-03-17 17:25:25 29,938,599 ----a-w C:\Program Files\VirtualVillagers2Setup.exe
2007-01-03 02:43:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-04-27 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-08-13 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 16:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-07-11 17:51 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]
"Sen"="C:\WINDOWS\system32\YMANTE~1\winspool.exe" []
"Uybfyruu"="C:\WINDOWS\system32\F?nts\c?rss.exe" []
"SfKg6w"="C:\Documents and Settings\Mary\Application Data\Microsoft\Windows\bwvvqv.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 10:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin comp]
C:\DOCUME~1\Mary\APPLIC~1\DEADDE~1\Media New Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
"C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
"C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMFibula]
"C:\Program Files\CMFibula\CMFibula.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\qwinopdt.exe SKY009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\rhqcjwfy.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDream]
"C:\Program Files\PSDream\PSDream.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swhkynrA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{BB-B7-7F-F0-ZN}]
c:\windows\system32\ondsregm.exe SKY009


Contents of the 'Scheduled Tasks' folder
2007-07-14 11:14:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-17 19:00:00 C:\WINDOWS\tasks\B7BF95F985901505.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 15:24:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\icwcache.dll
C:\WINDOWS\system32\tftpsvr.exe
C:\WINDOWS\system32\dbg32.dll
C:\WINDOWS\system32\drivers\rootmd2k.sys
C:\WINDOWS\system32\drivers\irenumnt.sys
C:\WINDOWS\system32\drivers\dxgex.sys

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dxgex]
"ImagePath"="system32\drivers\dxgex.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\irenumnt]
"ImagePath"="system32\drivers\irenumnt.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\rootmd2k]
"ImagePath"="system32\drivers\rootmd2k.sys"

Completion time: 2007-07-17 15:25:16
C:\ComboFix-quarantined-files.txt ... 2007-07-17 15:25
C:\ComboFix2.txt ... 2007-07-17 13:16

--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:12 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\system32\YMANTE~1\winspool.exe" -vt yazb
O4 - HKCU\..\Run: [Uybfyruu] C:\WINDOWS\system32\F?nts\c?rss.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Mary\Application Data\Microsoft\Windows\bwvvqv.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm086MFUS
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161449025265
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6219 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 02:38 PM

Hi,

Please read my previous instructions, because I don't see you have been doing the step with CFScript properly.
Nothing has been changed here.
Are you having problems with the instructions about CFScript ? Is there anything you don't understand? Please let me know...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 02:43 PM

I dragged the CFScript onto the Combofix just like the picture showed. It opened the box and it gave me the zip file. I sent that in to be analyzed. I also ran HJT again and posted my results. I will try it again.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 02:50 PM

I sent that in to be analyzed

I didn't receive anything either though... Where did you send it?

First, make sure that CFScript is made in notepad
Second, when you drag the CFScript into combofix, combofix will start again as it did before. I see the CFScript wasn't properly dragged in here since I don't see Command switches being used on top in Combofix.

Also, when the logfile opens, it's combofix.txt, so make sure you don't post combofix2.txt or combofix3.txt etc, because they are older logs as the new log gets overwritten.

So please try again :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 03:00 PM

I copied the url and attached the zipfile in the malware submission link. Then I clicked on send file but nothing is happening. I tried dragging CFScript into combofix again and let it run. It gave me a new zipfile, rebooted and gave me a new logfile. When the logfile popped up I copied it and then I ran HJT and copied the file that popped up as well. I paste the logs just like they popped up on my computer. Lets hope it works this time.

"Mary" - 2007-07-17 15:47:28 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Mary\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Mary\APPLIC~1\DEADDE~1
C:\DOCUME~1\Mary\APPLIC~1\DEADDE~1\E9301321
C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts
C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts\Data\Mary\avatar.dat
C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts\Data\Mary\register.dat
C:\DOCUME~1\Mary\APPLIC~1\FunWebProducts\Data\Mary\zbucks.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\00D21E77
C:\Program Files\MyWebSearch\bar\Cache\00D22175
C:\Program Files\MyWebSearch\bar\Cache\00D2253D.bin
C:\Program Files\MyWebSearch\bar\Cache\00D2284B.bin
C:\Program Files\MyWebSearch\bar\Cache\00D22973.bin
C:\Program Files\MyWebSearch\bar\Cache\00D22A2F.bin
C:\Program Files\MyWebSearch\bar\Cache\00D22AAC.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b138.exe
C:\WINDOWS\oevuhgy.exe
C:\WINDOWS\oevuhgyA.exe
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\b10FdUe\b10FdUe1099.exe
C:\WINDOWS\system32\dbg32.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\dxgex.sys
C:\WINDOWS\system32\drivers\irenumnt.sys
C:\WINDOWS\system32\drivers\rootmd2k.sys
C:\WINDOWS\system32\icwcache.dll
C:\WINDOWS\system32\tftpsvr.exe
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z11\z53.exe
C:\WINDOWS\tasks\B7BF95F985901505.job
C:\WINDOWS\TISKY009.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DXGEX
-------\LEGACY_IRENUMNT
-------\dxgex
-------\irenumnt
-------\rootmd2k


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-17 15:46 14 --a------ C:\DOCUME~1\Mary\getfile.dat
2007-07-17 12:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 20:00 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Ahead
2007-07-14 00:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-13 19:04 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\IMVU
2007-07-11 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-11 16:45 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-07 01:14 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-07-07 01:07 <DIR> d-------- C:\Program Files\Nero
2007-07-07 01:07 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-26 14:52 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\EA
2007-06-26 14:51 <DIR> d-------- C:\Program Files\Harvest Mania To Go
2007-06-24 20:27 17,664 --a------ C:\WINDOWS\system32\drivers\ppa3.sys
2007-06-24 20:26 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Active Disk
2007-06-24 20:24 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-24 20:23 <DIR> d-------- C:\Program Files\Iomega
2007-06-22 09:04 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Sandlot Games
2007-06-22 08:22 <DIR> d-------- C:\Program Files\Burger Island
2007-06-22 08:22 <DIR> d-------- C:\Program Files\Birdies


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 18:02:39 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Neopets Toolbar
2007-07-17 04:01:57 -------- d-----w C:\Program Files\MySpace
2007-07-11 21:51:24 -------- d-----w C:\Program Files\Google
2007-07-10 11:41:26 -------- d-----w C:\Program Files\World of Warcraft
2007-07-07 23:12:32 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Creative
2007-06-23 02:28:09 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Paltalk
2007-06-12 12:43:06 -------- d-----w C:\Program Files\Nanny Mania
2007-06-08 02:46:53 -------- d-----w C:\Program Files\Alice Greenfingers
2007-06-05 13:07:22 -------- d-----w C:\Program Files\Happy Hour
2007-06-05 13:07:04 -------- d-----w C:\Program Files\Sushi Frenzy
2007-06-05 12:21:20 -------- d-----w C:\Program Files\Sheeplings
2007-05-24 19:23:51 -------- d-----w C:\Program Files\Paltalk Messenger
2007-05-24 19:16:57 -------- d-----w C:\Program Files\Virtual Villagers 2
2007-05-24 19:16:17 -------- d-----w C:\Program Files\The Wonderful Wizard Of Oz
2007-05-24 19:16:12 -------- d-----w C:\Program Files\The Rise Of Atlantis
2007-05-24 19:16:00 -------- d-----w C:\Program Files\Recyclorama
2007-05-24 19:15:53 -------- d-----w C:\Program Files\Rainbow Mystery
2007-05-24 19:15:41 -------- d-----w C:\Program Files\Monarch The Butterfly King
2007-05-24 19:15:33 -------- d-----w C:\Program Files\Magic Academy
2007-05-24 19:15:24 -------- d-----w C:\Program Files\Little Shop Of Treasures
2007-05-24 19:15:13 -------- d-----w C:\Program Files\LEGO Chic Boutique
2007-05-24 19:15:05 -------- d-----w C:\Program Files\Grimms Hatchery
2007-05-24 19:14:54 -------- d-----w C:\Program Files\Flower Shop Big City Break
2007-05-24 19:14:27 -------- d-----w C:\Program Files\e-Sword
2007-05-24 19:14:07 -------- d-----w C:\Program Files\Diner Dash Flo On The Go
2007-05-24 19:13:57 -------- d-----w C:\Program Files\Cathys Caribbean Club
2007-05-24 19:13:52 -------- d-----w C:\Program Files\Candy Can
2007-05-24 19:13:47 -------- d-----w C:\Program Files\Burger Rush
2007-05-24 19:13:34 -------- d-----w C:\Program Files\Believe In Santa
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 19:53:07 26,262,224 ----a-w C:\Program Files\LittleShopOfTreasuresSetup.exe
2007-04-12 19:28:49 18,922,054 ----a-w C:\Program Files\MagicAcademySetup.exe
2007-04-12 19:01:56 13,391,291 ----a-w C:\Program Files\CandyCanSetup.exe
2007-04-11 19:43:35 19,061,111 ----a-w C:\Program Files\TheRiseOfAtlantisSetup.exe
2007-04-09 20:43:30 18,498,594 ----a-w C:\Program Files\CathysCaribbeanClubSetup.exe
2007-04-09 20:42:50 18,177,470 ----a-w C:\Program Files\BurgerRushSetup.exe
2007-04-04 00:12:10 13,817,440 ----a-w C:\Program Files\bitdefender_free_v8.exe
2007-04-04 00:04:07 1,144,839 ----a-w C:\Program Files\stng260.exe
2007-04-03 21:00:43 67,072 ----a-w C:\Program Files\STOPzilla_Setup.exe
2007-04-02 01:41:54 35,992 ----a-w C:\DOCUME~1\Mary\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-29 20:06:06 18,267,006 ----a-w C:\Program Files\MonarchSetup.exe
2007-03-17 17:25:25 29,938,599 ----a-w C:\Program Files\VirtualVillagers2Setup.exe
2007-01-03 02:43:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-04-27 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-08-13 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 16:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-07-11 17:51 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 12:19]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 12:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 10:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Mary\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


Contents of the 'Scheduled Tasks' folder
2007-07-14 11:14:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 15:50:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-17 15:51:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-17 15:51
C:\ComboFix2.txt ... 2007-07-17 15:25
C:\ComboFix3.txt ... 2007-07-17 13:16

--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:58 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm086MFUS
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161449025265
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6058 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 03:04 PM

Well, it worked this time :thumbsup:

Normally there should be a new submit[date/time].zip present on your desktop.
Can you rightclick that folder and select properties. Let me know how big the file is.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 03:06 PM

The zip file is 51 MB

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 03:12 PM

That explains why you couldn't upload it.
I wonder what have been collected in there - since I cannot believe these files I've added to collect are so big...
Can you let me know what's in there? Please make sure you don't doubleclick any of these files.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 03:16 PM

There is:

catchme.log
dbg32.dll
dxgex.sys
icwcache.dll
irenumnt.sys
rootmd2k.sys
tftpsvr.exe

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 17 July 2007 - 03:20 PM

I guess it's mainly the tftpsvr.exe which is so huge. This file was most probably dropped by malware to use your system as a server to send more malware to others or collect important valuable data from your system.
Anyway, can you let me know for each file how big they are? Rightclick and choose properties.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 MobysFan

MobysFan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 July 2007 - 03:27 PM

Ok

catchme.log 926

dbg32.dll 81920

dxgex.sys 17280

icwcache.dll 52881429

irenumnt.sys 16896

rootmd2k.sys 452096

tftpsvr.exe 2134016




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users