MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: more spyware!!
October 18, 2019, 04:17:39 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 18, 2019, 04:17:39 AM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: more spyware!!  (Read 2973 times)
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« on: March 31, 2008, 10:39:40 PM »

I have no clue how they keep getting in but another spyware infection is here

HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:34, on 2008-03-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\.tt11D.tmp
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\.tt139.tmp
C:\WINDOWS\system32\sbwltbxa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\Program Files\BraveSentry\BraveSentry.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\aromis.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CyberDefender\AntiSpyware\cdasa0ab.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\wind32.exe
O4 - HKLM\..\Run: [DriveSystem] C:\WINDOWS\system32\maxpaynowti1.exe
O4 - HKLM\..\Run: [SystemDrive] C:\WINDOWS\system32\maxpaynow1.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179489774609
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: April 02, 2008, 12:10:01 AM »

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.

=================================


Ok.We  need to download ComboFix.exe. This will  give a better view to the files running and also hidden on your computer.

Please visit this webpage for download links, and instructions for running the tool


When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
Logged

An Australian Member of

EDDY
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« Reply #2 on: April 07, 2008, 12:45:36 AM »

sdfix report

SDFix: Version 1.165

Run by HP_Administrator on 2008-04-06 at 17:24

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
ntload

Path:
\??\C:\WINDOWS\system32\ntload.sys

ntload - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper 

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ADCRAH.BMP - Deleted
C:\WINDOWS\SYSTEM32\ADGFIPCN.BMP - Deleted
C:\Documents and Settings\HP_Administrator\Desktop\BDSM galleries.URL - Deleted
C:\Documents and Settings\HP_Administrator\Desktop\Uncensored p*rn.URL - Deleted
C:\WINDOWS\system32\s*x1.ico - Deleted
C:\WINDOWS\system32\s*x2.ico - Deleted
C:\WINDOWS\system32\s*x3.ico - Deleted
C:\WINDOWS\system32\s*x4.ico - Deleted
C:\WINDOWS\system32\s*x5.ico - Deleted
C:\WINDOWS\aromis.exe  - Deleted
C:\WINDOWS\aromis.config  - Deleted
C:\WINDOWS\system32\ieupdates.exe  - Deleted
C:\WINDOWS\system32\update32.exe  - Deleted
C:\WINDOWS\system32\winupdate.exe  - Deleted
C:\WINDOWS\system32\wscmp.dll  - Deleted
C:\WINDOWS\system32\ntload.sys  - Deleted
Logged

 
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« Reply #3 on: April 07, 2008, 12:46:24 AM »

Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 17:29:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A75E226A-719D-33C9-DC76-B08C32082593}]
"abmjbbeeleoaooabnhngjnkfokifdgfeag"=hex:61,62,6b,67,6b,65,6b,70,62,62,66,6c,68,66,62,61,61,67,69,70,6f,..
"bbmjbbeeleoaooabnhogebkkccjcpoalipje"=hex:61,62,62,68,69,70,69,6a,66,6e,63,63,70,6b,6c,6f,64,63,69,70,6f,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\utorrent\\uTorrent.exe"="C:\\Program Files\\utorrent\\uTorrent.exe:*:Enabled:
Logged

 
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« Reply #4 on: April 07, 2008, 12:54:49 AM »

I dont think my combo fix is running correctly

Start Time= 2008-04-06 19:48:35.10

QuickScan did not find any signs of infected files

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-03-31     18:42:12        29696       ( A.... )   "C:\WINDOWS\2020search.dll"
2008-03-31     18:42:12        21760       ( A.... )   "C:\WINDOWS\2020search2.dll"
2008-03-31     18:42:12        18944       ( A.... )   "C:\WINDOWS\mssvr.exe"
2008-03-31     18:42:12                       ( .D... )   "C:\Program Files\seekmo"
2008-03-31     18:42:12                       ( .D... )   "C:\Program Files\180solutions"
2008-03-31     13:55:04        31744       ( A.... )   "C:\WINDOWS\stcloader.exe"
2008-03-31     13:55:04        28672       ( A.... )   "C:\WINDOWS\cdsm32.dll"
2008-03-31     13:55:04        24320       ( A.... )   "C:\WINDOWS\swin32.dll"
2008-03-31     13:55:04        19968       ( A.... )   "C:\WINDOWS\mspphe.dll"
2008-03-31     13:55:04        13824       ( A.... )   "C:\WINDOWS\voiceip.dll"
2008-03-31     13:55:04        12800       ( A.... )   "C:\WINDOWS\bokja.exe"
2008-03-31     13:55:04                       ( .D... )   "C:\Program Files\stc"
2008-03-31     13:55:02        31744       ( A.... )   "C:\WINDOWS\system32\WER8274.DLL"
2008-03-31     13:55:02        24064       ( A.... )   "C:\WINDOWS\system32\MSIXU.DLL"
2008-03-31     13:55:02        20480       ( A.... )   "C:\WINDOWS\180ax.exe"
2008-03-31     13:55:02        18688       ( A.... )   "C:\WINDOWS\bjam.dll"
2008-03-31     13:55:02                       ( .D... )   "C:\Program Files\zango"
2008-03-31     13:55:02                       ( .D... )   "C:\Program Files\180searchassistant"
2008-03-31     13:55:02                       ( .D... )   "C:\Program Files\180search assistant"
2008-03-31     13:55:00        29952       ( A.... )   "C:\WINDOWS\updatetc.exe"
2008-03-31     13:55:00        28416       ( A.... )   "C:\WINDOWS\system32\MSNSA32.dll"
2008-03-31     13:55:00        27392       ( A.... )   "C:\WINDOWS\salm.exe"
2008-03-31     13:55:00        26368       ( A.... )   "C:\WINDOWS\system32\ntnut32.exe"
2008-03-31     13:55:00        20736       ( A.... )   "C:\WINDOWS\msa64chk.dll"
2008-03-31     13:55:00        17664       ( A.... )   "C:\WINDOWS\saiemod.dll"
2008-03-31     13:55:00        17664       ( A.... )   "C:\WINDOWS\msapasrc.dll"
2008-03-31     13:55:00        16896       ( A.... )   "C:\WINDOWS\system32\SIPSPI32.dll"
2008-03-31     13:55:00         8704       ( A.... )   "C:\WINDOWS\system32\shdocpe.dll"
2008-03-31     13:54:58        30976       ( A.... )   "C:\WINDOWS\winsb.dll"
2008-03-31     13:54:58        28928       ( A.... )   "C:\WINDOWS\avifile32.dll"
2008-03-31     13:54:58        28416       ( A.... )   "C:\WINDOWS\shdocpe.dll"
2008-03-31     13:54:58        27904       ( A.... )   "C:\WINDOWS\audiosrv32.dll"
2008-03-31     13:54:58        27648       ( A.... )   "C:\WINDOWS\ntnut.exe"
2008-03-31     13:54:58        27136       ( A.... )   "C:\WINDOWS\shdocpl.dll"
2008-03-31     13:54:58        19456       ( A.... )   "C:\WINDOWS\avisynthex32.dll"
2008-03-31     13:54:58        18432       ( A.... )   "C:\WINDOWS\browserad.dll"
2008-03-31     13:54:58        15872       ( A.... )   "C:\WINDOWS\autodisc32.dll"
2008-03-31     13:54:58        15616       ( A.... )   "C:\WINDOWS\aviwrap32.dll"
2008-03-31     13:54:58                       ( .D... )   "C:\Program Files\Sysmnt"
2008-03-31     13:54:56        32768       ( A.... )   "C:\WINDOWS\asycfilt32.dll"
2008-03-31     13:54:56        30208       ( A.... )   "C:\WINDOWS\athprxy32.dll"
2008-03-31     13:54:56        25344       ( A.... )   "C:\WINDOWS\changeurl_30.dll"
2008-03-31     13:54:56        18944       ( A.... )   "C:\WINDOWS\apphelp32.dll"
2008-03-31     13:54:56        17152       ( A.... )   "C:\WINDOWS\ati2dvag32.dll"
2008-03-31     13:54:56        13824       ( A.... )   "C:\WINDOWS\ati2dvaa32.dll"
2008-03-31     13:54:56        13824       ( A.... )   "C:\WINDOWS\asferror32.dll"
2008-03-05     20:16:00                       ( .D... )   "C:\Documents and Settings\HP_Administrator\Application Data\fretsonfire"
2008-03-05     20:15:40                       ( .D... )   "C:\Program Files\Frets on Fire"
2008-03-05     11:30:54     19148408       ( A.... )   "C:\WINDOWS\system32\MRT.exe"
2008-02-22     18:05:46                       ( .D... )   "C:\Program Files\AviSynth 2.5"
2008-02-22     18:05:42                       ( .D... )   "C:\Program Files\Red Kawa"
2008-02-22     07:40:38                       ( .D... )   "C:\Program Files\DVD Decrypter"
2008-02-22     02:33:32       139264       ( A.... )   "C:\WINDOWS\system32\javaws.exe"
2008-02-22     01:23:40       135168       ( A.... )   "C:\WINDOWS\system32\javaw.exe"
2008-02-22     01:23:36       135168       ( A.... )   "C:\WINDOWS\system32\java.exe"
2008-02-20     21:05:34      1044480       ( A.... )   "C:\WINDOWS\system32\libdivx.dll"
2008-02-20     21:05:34       200704       ( A.... )   "C:\WINDOWS\system32\ssldivx.dll"
2008-02-17     23:42:40                       ( .D... )   "C:\Program Files\Amazon"
2008-02-12     07:38:08                       ( .D... )   "C:\Documents and Settings\HP_Administrator\Application Data\Anti-Virus-Pro.com"
2008-02-12     07:38:02                       ( .D... )   "C:\Program Files\AntiVirusPro"
2008-02-12     07:37:58        29436       ( A.... )   "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe"
2008-02-10     20:30:10                       ( .D... )   "C:\Program Files\Trend Micro"
2008-02-10     11:00:48                       ( .D... )   "C:\Program Files\SysCleaner"
2008-01-11     00:53:32        44544       ( A.... )   "C:\WINDOWS\system32\pngfilt.dll"
2008-01-10     23:44:46       103424       ( A.... )   "C:\WINDOWS\system32\drvmex.dll"


(((((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SMSERIAL"="sm56hlpr.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"tgcmdprovidersbc"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
  6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BluetoothAuthorizationAgent"="C:\\WINDOWS\\system32\\BluetoothAuthorizationAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Veoh"="\"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe\" /VeohHide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 2008-04-06 19:50:44.71
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
Logged

 
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« Reply #5 on: April 07, 2008, 12:59:36 AM »

Logfile of HijackThis v1.99.1
Scan saved at 19:59, on 2008-04-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179489774609
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: April 07, 2008, 01:34:23 AM »

Can you re-run Combofix again please...
Logged

An Australian Member of

EDDY
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« Reply #7 on: April 07, 2008, 01:49:44 AM »

I re ran it again..this is what it spat out

Start Time= 2008-04-06 20:43:55.08

QuickScan did not find any signs of infected files

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-03-31     18:42:12        29696       ( A.... )   "C:\WINDOWS\2020search.dll"
2008-03-31     18:42:12        21760       ( A.... )   "C:\WINDOWS\2020search2.dll"
2008-03-31     18:42:12        18944       ( A.... )   "C:\WINDOWS\mssvr.exe"
2008-03-31     18:42:12                       ( .D... )   "C:\Program Files\seekmo"
2008-03-31     18:42:12                       ( .D... )   "C:\Program Files\180solutions"
2008-03-31     13:55:04        31744       ( A.... )   "C:\WINDOWS\stcloader.exe"
2008-03-31     13:55:04        28672       ( A.... )   "C:\WINDOWS\cdsm32.dll"
2008-03-31     13:55:04        24320       ( A.... )   "C:\WINDOWS\swin32.dll"
2008-03-31     13:55:04        19968       ( A.... )   "C:\WINDOWS\mspphe.dll"
2008-03-31     13:55:04        13824       ( A.... )   "C:\WINDOWS\voiceip.dll"
2008-03-31     13:55:04        12800       ( A.... )   "C:\WINDOWS\bokja.exe"
2008-03-31     13:55:04                       ( .D... )   "C:\Program Files\stc"
2008-03-31     13:55:02        31744       ( A.... )   "C:\WINDOWS\system32\WER8274.DLL"
2008-03-31     13:55:02        24064       ( A.... )   "C:\WINDOWS\system32\MSIXU.DLL"
2008-03-31     13:55:02        20480       ( A.... )   "C:\WINDOWS\180ax.exe"
2008-03-31     13:55:02        18688       ( A.... )   "C:\WINDOWS\bjam.dll"
2008-03-31     13:55:02                       ( .D... )   "C:\Program Files\zango"
2008-03-31     13:55:02                       ( .D... )   "C:\Program Files\180searchassistant"
2008-03-31     13:55:02                       ( .D... )   "C:\Program Files\180search assistant"
2008-03-31     13:55:00        29952       ( A.... )   "C:\WINDOWS\updatetc.exe"
2008-03-31     13:55:00        28416       ( A.... )   "C:\WINDOWS\system32\MSNSA32.dll"
2008-03-31     13:55:00        27392       ( A.... )   "C:\WINDOWS\salm.exe"
2008-03-31     13:55:00        26368       ( A.... )   "C:\WINDOWS\system32\ntnut32.exe"
2008-03-31     13:55:00        20736       ( A.... )   "C:\WINDOWS\msa64chk.dll"
2008-03-31     13:55:00        17664       ( A.... )   "C:\WINDOWS\saiemod.dll"
2008-03-31     13:55:00        17664       ( A.... )   "C:\WINDOWS\msapasrc.dll"
2008-03-31     13:55:00        16896       ( A.... )   "C:\WINDOWS\system32\SIPSPI32.dll"
2008-03-31     13:55:00         8704       ( A.... )   "C:\WINDOWS\system32\shdocpe.dll"
2008-03-31     13:54:58        30976       ( A.... )   "C:\WINDOWS\winsb.dll"
2008-03-31     13:54:58        28928       ( A.... )   "C:\WINDOWS\avifile32.dll"
2008-03-31     13:54:58        28416       ( A.... )   "C:\WINDOWS\shdocpe.dll"
2008-03-31     13:54:58        27904       ( A.... )   "C:\WINDOWS\audiosrv32.dll"
2008-03-31     13:54:58        27648       ( A.... )   "C:\WINDOWS\ntnut.exe"
2008-03-31     13:54:58        27136       ( A.... )   "C:\WINDOWS\shdocpl.dll"
2008-03-31     13:54:58        19456       ( A.... )   "C:\WINDOWS\avisynthex32.dll"
2008-03-31     13:54:58        18432       ( A.... )   "C:\WINDOWS\browserad.dll"
2008-03-31     13:54:58        15872       ( A.... )   "C:\WINDOWS\autodisc32.dll"
2008-03-31     13:54:58        15616       ( A.... )   "C:\WINDOWS\aviwrap32.dll"
2008-03-31     13:54:58                       ( .D... )   "C:\Program Files\Sysmnt"
2008-03-31     13:54:56        32768       ( A.... )   "C:\WINDOWS\asycfilt32.dll"
2008-03-31     13:54:56        30208       ( A.... )   "C:\WINDOWS\athprxy32.dll"
2008-03-31     13:54:56        25344       ( A.... )   "C:\WINDOWS\changeurl_30.dll"
2008-03-31     13:54:56        18944       ( A.... )   "C:\WINDOWS\apphelp32.dll"
2008-03-31     13:54:56        17152       ( A.... )   "C:\WINDOWS\ati2dvag32.dll"
2008-03-31     13:54:56        13824       ( A.... )   "C:\WINDOWS\ati2dvaa32.dll"
2008-03-31     13:54:56        13824       ( A.... )   "C:\WINDOWS\asferror32.dll"
2008-03-05     20:16:00                       ( .D... )   "C:\Documents and Settings\HP_Administrator\Application Data\fretsonfire"
2008-03-05     20:15:40                       ( .D... )   "C:\Program Files\Frets on Fire"
2008-03-05     11:30:54     19148408       ( A.... )   "C:\WINDOWS\system32\MRT.exe"
2008-02-22     18:05:46                       ( .D... )   "C:\Program Files\AviSynth 2.5"
2008-02-22     18:05:42                       ( .D... )   "C:\Program Files\Red Kawa"
2008-02-22     07:40:38                       ( .D... )   "C:\Program Files\DVD Decrypter"
2008-02-22     02:33:32       139264       ( A.... )   "C:\WINDOWS\system32\javaws.exe"
2008-02-22     01:23:40       135168       ( A.... )   "C:\WINDOWS\system32\javaw.exe"
2008-02-22     01:23:36       135168       ( A.... )   "C:\WINDOWS\system32\java.exe"
2008-02-20     21:05:34      1044480       ( A.... )   "C:\WINDOWS\system32\libdivx.dll"
2008-02-20     21:05:34       200704       ( A.... )   "C:\WINDOWS\system32\ssldivx.dll"
2008-02-17     23:42:40                       ( .D... )   "C:\Program Files\Amazon"
2008-02-12     07:38:08                       ( .D... )   "C:\Documents and Settings\HP_Administrator\Application Data\Anti-Virus-Pro.com"
2008-02-12     07:38:02                       ( .D... )   "C:\Program Files\AntiVirusPro"
2008-02-12     07:37:58        29436       ( A.... )   "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe"
2008-02-10     20:30:10                       ( .D... )   "C:\Program Files\Trend Micro"
2008-02-10     11:00:48                       ( .D... )   "C:\Program Files\SysCleaner"
2008-01-11     00:53:32        44544       ( A.... )   "C:\WINDOWS\system32\pngfilt.dll"
2008-01-10     23:44:46       103424       ( A.... )   "C:\WINDOWS\system32\drvmex.dll"


(((((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SMSERIAL"="sm56hlpr.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"tgcmdprovidersbc"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
  6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BluetoothAuthorizationAgent"="C:\\WINDOWS\\system32\\BluetoothAuthorizationAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Veoh"="\"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe\" /VeohHide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 2008-04-06 20:45:49.54
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: April 07, 2008, 02:13:26 AM »

Remove/Uninstall the Combofix you now have and get a new one from here:

Please visit this webpage for download links, and instructions for running the tool
Logged

An Australian Member of

EDDY
sleepypunk1111
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 97


Bookmark and Share

View Profile
« Reply #9 on: April 07, 2008, 02:55:29 AM »

ComboFix 08-04-06.1 - HP_Administrator 2008-04-06 21:51:34.21 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.236 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
(((((((((((((((((((((((((   Files Created from 2008-03-07 to 2008-04-07  )))))))))))))))))))))))))))))))
.

2008-04-06 17:47 . 2008-04-06 17:47   269,334   --a------   C:\WINDOWS\system32\sjitob.bmp
2008-03-31 18:42 . 2008-03-31 18:42   <DIR>   d--------   C:\Program Files\180solutions
2008-03-31 18:12 . 2008-04-06 17:36   <DIR>   d--------   C:\SDFix
2008-03-31 17:34 . 2008-03-31 17:34   <DIR>   d--------   C:\Deckard
2008-03-31 13:55 . 2008-03-31 13:55   <DIR>   d--------   C:\Program Files\zango
2008-03-31 13:55 . 2008-03-31 13:55   <DIR>   d--------   C:\Program Files\stc
2008-03-31 13:55 . 2008-03-31 13:55   <DIR>   d--------   C:\Program Files\180searchassistant
2008-03-31 13:55 . 2008-03-31 13:55   <DIR>   d--------   C:\Program Files\180search assistant
2008-03-31 13:54 . 2008-03-31 13:54   <DIR>   d--------   C:\Program Files\Sysmnt
2008-03-28 06:51 . 2008-04-06 17:47   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-03-28 06:51 . 2008-03-28 06:51   1,409   --a------   C:\WINDOWS\QTFont.for
2008-03-25 17:58 . 2008-03-25 17:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-03-25 17:58 . 2008-03-25 17:58   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 12:04   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-03-27 02:35   ---------   d-----w   C:\Program Files\Java
2008-03-06 01:16   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\fretsonfire
2008-03-06 01:15   ---------   d-----w   C:\Program Files\Frets on Fire
2008-02-27 01:36   ---------   d-----w   C:\Program Files\DivX
2008-02-22 23:05   ---------   d-----w   C:\Program Files\Red Kawa
2008-02-22 23:05   ---------   d-----w   C:\Program Files\AviSynth 2.5
2008-02-22 12:40   ---------   d-----w   C:\Program Files\DVD Decrypter
2008-02-21 02:05   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2008-02-18 04:43   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-18 04:42   ---------   d-----w   C:\Program Files\Amazon
2008-02-18 04:42   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Amazon
2008-02-14 02:39   ---------   d-----w   C:\Program Files\AntiVirusPro
2008-02-13 03:24   ---------   d-----w   C:\Program Files\MySpace
2008-02-12 12:38   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\Anti-Virus-Pro.com
2008-02-12 12:37   29,436   ----a-w   C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-02-12 02:41   ---------   d-----w   C:\Program Files\Common Files\Nero
2008-02-12 02:41   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Nero
2008-02-11 01:30   ---------   d-----w   C:\Program Files\Trend Micro
2008-02-10 16:00   ---------   d-----w   C:\Program Files\SysCleaner
2008-01-11 05:53   44,544   ----a-w   C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-11 04:44   103,424   ----a-w   C:\WINDOWS\system32\drvmex.dll
2007-08-12 20:35   47,360   ----a-w   C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2005-05-12 13:36   12,288   ----a-w   C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-10 23:05 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-10 23:05 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-10 23:05 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-01-10 23:05 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-23 13:23 3497984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 04:56 544768 C:\WINDOWS\sm56hlpr.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-13 01:08 6731312]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-10 23:04 180269]
"tgcmdprovidersbc"="C:\Program Files\Support.com\bin\tgcmd.exe" [2008-01-10 23:04 1544192]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 21:04 59392]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [2008-02-12 07:37 29436]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 18:25:20 97320]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 08:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent\\uTorrent.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdasa0ab.exe"=

S3 CDAVFS;CDAVFS;C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2008-01-14 23:38]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 22:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 21:53:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PCD5SRVC]
"ImagePath"="\??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-06 21:54:16
ComboFix-quarantined-files.txt  2008-04-07 02:54:02
ComboFix2.txt  2008-02-25 02:30:44
Pre-Run: 83,772,616,704 bytes free
Post-Run: 83,755,769,856 bytes free
.
2008-03-20 08:09:10   --- E O F --- 
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: April 07, 2008, 11:24:07 PM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

Killall::

File::
 C:\WINDOWS\system32\sjitob.bmp

Folder::
C:\Program Files\180solutions
C:\Program Files\zango
C:\Program Files\stc
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\Program Files\Viewpoint

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your compter*

Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page July 30, 2017, 02:13:33 AM