MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Intelligent New Terror Virus
August 13, 2020, 03:53:08 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
August 13, 2020, 03:53:08 PM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Intelligent New Terror Virus  (Read 4642 times)
kidigi2lx
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 24


Bookmark and Share

View Profile
« on: July 21, 2008, 01:59:08 AM »

Hey Guys,

Pancake, you have dealt with me with stuff like this in the past.  I have a virus that is attacking all applications, devices and working parameters of my computer. 

A torrent was downloaded (WinRar Professional Edition) and since then all computer functionality has been jeopardized.  McAfee has turned against the computer and is overactive sending false reports and alerts.  Screen will pop up randomly with messages saying 'Your privacy is not protected'.  The desktop has been altered with new icons, most of them being p*rn.  It is deleting my inherent computer applications and files and adding it's own applications, most of them being spyware protection and antivirus programs (some of them being Microsoft affiliated).  On top of everything else, it will change registry information and wiil not allow the dowload of any spyware programs other than the ones that it suggests.  It is a good thing that we had hijack already uploaded on the computer.  Here is the log file from Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 21:44: VIRUS ALERT!, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Common Files\AOL\1127536827\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Updater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\Sys6.exe
C:\Windows\Sys7.exe
C:\Windows\Sys8.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\DNA\btdna.exe
c:\program files\common files\aol\1127536827\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127536827\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Jovann Easter\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.64.175:7212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo!
Logged

I can't write my signiture on the computer screen so i'll just use this.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: July 22, 2008, 11:54:02 PM »

Ok. I see the problem.Its fixable.

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.



Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe



=====================================


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This  applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.



« Last Edit: July 22, 2008, 11:56:24 PM by Pancake » Logged

An Australian Member of

EDDY
kidigi2lx
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 24


Bookmark and Share

View Profile
« Reply #2 on: July 23, 2008, 10:22:38 AM »

Thanks. HIjack Report is below and I will post right after Combofix Report due to its size

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:59: VIRUS ALERT!, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1127536827\ee\aolsoftware.exe
c:\program files\common files\aol\1127536827\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127536827\ee\aolsoftware.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Updater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\Sys6.exe
C:\Windows\Sys7.exe
C:\Windows\Sys8.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.64.175:7212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo!
Logged

I can't write my signiture on the computer screen so i'll just use this.
kidigi2lx
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 24


Bookmark and Share

View Profile
« Reply #3 on: July 23, 2008, 10:24:25 AM »

Thanks. The Combofix report is below.

ComboFix 08-07-22.3 - Jovann Easter 2008-07-23  5:19:46.1 - NTFSx86
Running from: C:\Documents and Settings\Jovann Easter\Desktop\ComboFix2.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jovann Easter\Desktop\Vista Antivirus 2008.lnk
C:\Documents and Settings\Rhody Guzman\Desktop\Error Cleaner.url
C:\Documents and Settings\Rhody Guzman\Desktop\Privacy Protector.url
C:\Documents and Settings\Rhody Guzman\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Rhody Guzman\Favorites\Error Cleaner.url
C:\Documents and Settings\Rhody Guzman\Favorites\Privacy Protector.url
C:\Documents and Settings\Rhody Guzman\Favorites\Spyware&Malware Protection.url
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\s*x1.ico
C:\Program Files\PCHealthCenter\s*x2.ico
C:\WINDOWS\elxw.exe
C:\WINDOWS\kgxmotapqtm.dll
C:\WINDOWS\Sys14.exe
C:\WINDOWS\Sys15.exe
C:\WINDOWS\Sys291.exe
C:\WINDOWS\Sys292.exe
C:\WINDOWS\Sys33.exe
C:\WINDOWS\Sys34.exe
C:\WINDOWS\Sys35.exe
C:\WINDOWS\Sys4.exe
C:\WINDOWS\Sys5.exe
C:\WINDOWS\Sys6.exe
C:\WINDOWS\Sys7.exe
C:\WINDOWS\Sys8.exe
C:\WINDOWS\system32\aigonnqm.ini
C:\WINDOWS\system32\cbXNGWMD.dll
C:\WINDOWS\system32\cllbqufw.ini
C:\WINDOWS\system32\coqumlmi.dll
C:\WINDOWS\system32\DMWGNXbc.ini
C:\WINDOWS\system32\DMWGNXbc.ini2
C:\WINDOWS\system32\dycaojkj.dll
C:\WINDOWS\system32\eyfdtcto.ini
C:\WINDOWS\system32\fgelycbb.dll
C:\WINDOWS\system32\fosowkfh.dll
C:\WINDOWS\system32\hrkyhk.dll
C:\WINDOWS\system32\imlmuqoc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcznda.dll
C:\WINDOWS\system32\mqnnogia.dll
C:\WINDOWS\system32\nnnkHwXr.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pqbibv.dll
C:\WINDOWS\system32\qteatahe.dll
C:\WINDOWS\system32\s*x1.ico
C:\WINDOWS\system32\s*x2.ico
C:\WINDOWS\system32\uccaws.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\wfuqbllc.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xvyygkxj.dll
C:\WINDOWS\system32\yzquus.dll
C:\WINDOWS\winhelp.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


(((((((((((((((((((((((((   Files Created from 2008-06-23 to 2008-07-23  )))))))))))))))))))))))))))))))
.

2008-07-23 03:34 . 2008-07-23 03:34   94,848   --a------   C:\WINDOWS\system32\qxaccxbk.dll
2008-07-23 03:34 . 2008-07-23 03:34   294   --ahs----   C:\WINDOWS\system32\kbxccaxq.ini
2008-07-21 21:49 . 2008-07-21 21:49   110,080   --a------   C:\WINDOWS\system32\arnsaewf.exe
2008-07-20 21:36 . 2008-07-20 21:36   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-20 14:50 . 2008-07-20 14:50   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-07-20 13:32 . 2008-07-20 13:32   <DIR>   d--------   C:\Documents and Settings\Rhody Guzman\Application Data\Yahoo!
2008-07-20 13:29 . 2008-07-20 13:29   <DIR>   d--------   C:\Documents and Settings\Rhody Guzman\Application Data\TmpRecentIcons
2008-07-20 12:57 . 2008-07-20 04:05   98,304   --a------   C:\WINDOWS\agpqlrfm.exe
2008-07-20 12:55 . 2008-07-20 12:55   65,536   ---hs----   C:\Documents and Settings\Jovann Easter\MediaTubeCodec_ver1.1463.0.exe
2008-06-29 20:52 . 2008-07-21 23:05   <DIR>   d--------   C:\Documents and Settings\Jovann Easter\Application Data\Apple Computer
2008-06-29 20:51 . 2008-06-29 20:52   <DIR>   d--------   C:\Program Files\iTunes
2008-06-29 20:51 . 2008-06-29 20:51   <DIR>   d--------   C:\Program Files\iPod
2008-06-29 20:50 . 2008-06-29 20:50   <DIR>   d--------   C:\Program Files\Bonjour
2008-06-29 20:47 . 2008-06-29 20:49   <DIR>   d--------   C:\Program Files\QuickTime
2008-06-29 20:46 . 2008-06-29 20:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-29 20:44 . 2008-06-29 20:44   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-06-29 20:42 . 2008-06-29 20:42   <DIR>   d--------   C:\Program Files\Common Files\Apple
2008-06-29 20:42 . 2008-06-29 20:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 10:01   256   ----a-w   C:\Documents and Settings\Jovann Easter\pool.bin
2008-07-23 10:01   ---------   d-----w   C:\Program Files\Plaxo
2008-07-23 09:55   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\DNA
2008-07-20 23:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 18:57   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-06-30 02:40   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 23:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Tenebril
2008-06-14 23:37   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\Yahoo!
2008-06-14 23:37   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-13 13:10   272,128   ----a-w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 21:59   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\BitTorrent
2008-06-01 15:24   ---------   d-----w   C:\Program Files\DNA
2008-06-01 15:24   ---------   d-----w   C:\Program Files\BitTorrent
2008-05-23 07:01   ---------   d-----w   C:\Program Files\MSXML 4.0
2007-10-13 13:51   34,568   -c--a-w   C:\Documents and Settings\Jovann Easter\Application Data\GDIPFONTCACHEV1.DAT
2005-06-29 18:21   9,883   -c--a-w   C:\Program Files\hijackthis.log
2005-02-16 15:06   218,112   -c--a-w   C:\Program Files\HijackThis.exe
2002-04-11 18:44   12,920   -c--a-w   C:\Program Files\Revision.txt
2002-04-11 18:43   55,279   -c--a-w   C:\Program Files\Delta.inf
2002-04-11 18:34   487,665   -c--a-w   C:\Program Files\deltapnl.ex_
2002-04-11 18:32   320,896   -c--a-w   C:\Program Files\delta.sys
2002-04-02 18:23   139,264   -c--a-w   C:\Program Files\DeltaUninstaller.exe
2002-04-02 18:22   24,576   -c--a-w   C:\Program Files\DeltTray.exe
2002-02-20 22:22   86,016   -c--a-w   C:\Program Files\delteasi.dll
2002-02-20 22:21   90,112   -c--a-w   C:\Program Files\deltasio.dll
2000-08-21 16:04   32,768   -c--a-w   C:\Program Files\DELTACPL.CPL
2004-08-04 07:56   73,728   -csha-w   C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe" [2008-04-14 17:36 227914]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2007-03-08 15:53 1320472]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-01 11:24 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 19:02 122880]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 22:50 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 12:00 245760]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" [2003-08-21 19:10 180224]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39 147456]
"HostManager"="C:\Program Files\Common Files\AOL\1127536827\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20 212992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 01:45 185896]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\DeltTray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Default User\Start Menu\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\MSOFFICE\MSOFFICE.EXE [2004-11-03 09:17:11 193600]
Script execution time was exceeded on script "C:\ComboFix2\lnkread.vbs".
Script execution was terminated.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 10:15]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 MDX3LDR;Midex 3 - Firmware Loader;C:\WINDOWS\system32\Drivers\mdx3ldr.sys [2002-04-22 14:56]
S3 MIDEX3;Midex 3 - USB Midi Driver;C:\WINDOWS\system32\drivers\midex3.sys [2002-05-17 18:09]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-23 07:37:52 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Jovann Easter).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-07-23 10:10:00 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Rhody Guzman).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-02-23 15:00:13 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
"2008-02-23 15:00:13 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- C:\Program Files\Microsoft IntelliType Pro\itype.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{9A770A2D-7BB2-9AE4-54D2-C048E084EE82} - C:\WINDOWS\cdmweb\auimsffwbm.dll
Toolbar-{D8FFA8AE-BBE8-4D3F-A249-64B2D03EEB25} - C:\WINDOWS\qndsfmao.dll
HKCU-Run-PCShield - C:\WINDOWS\System32\sfg_51e4.dll
HKCU-Run-Free Download Manager - E:\Free Download Manager\fdm.exe
HKCU-Run-updateMgr - F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Performance Center - C:\Program Files\Ascentive\Performance Center\ApcMain.exe
HKCU-Run-Sys6.exe - C:\Windows\Sys6.exe
HKLM-Run-LogMeIn GUI - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-GhostSurfDelSatellite - C:\Program Files\GhostSurf Platinum\DeleteSatellite.exe
HKLM-Run-Antivirus - C:\Program Files\VAV\vav.exe
HKLM-Run-c0933322 - C:\WINDOWS\system32\wfuqbllc.dll
HKLM-Run-Sys6.exe - C:\Windows\Sys6.exe
SSODL-kvxqmtre-{8D328056-5859-4AAF-8291-731E99DEB4F5} - C:\WINDOWS\kvxqmtre.dll
SSODL-evgratsm-{D68051E6-E464-42C5-8A45-C06B885FA570} - C:\WINDOWS\evgratsm.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = 169.254.64.175:7212
R1 -: HKCU-Internet Settings,ProxyOverride = ;*.local;<local>
O8 -: Download all by Free Download Manager - file://E:\Free Download Manager\dlall.htm
O8 -: Download by Free Download Manager - file://E:\Free Download Manager\dllink.htm
O8 -: Download selected by Free Download Manager - file://E:\Free Download Manager\dlselected.htm
O8 -: Download web site by Free Download Manager - file://E:\Free Download Manager\dlpage.htm
O8 -: E&xport to Microsoft Excel - F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm

O16 -: {1A1F0774-EDE6-4255-A411-B2A730D6A6DD} - hxxp://www.bravaviewer.com/install/bravareader/setup.exe
C:\WINDOWS\Downloaded Program Files\setup.exe

 - C:\WINDOWS\Downloaded Program Files\RhapX.inf

O16 -: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
C:\WINDOWS\Downloaded Program Files\weblaunch.inf
C:\WINDOWS\System32\weblaunch.ocx

O16 -: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} - hxxp://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
C:\WINDOWS\Downloaded Program Files\DVCDownloaderControl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 06:01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\Updater.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Program Files\Common Files\AOL\1127536827\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-23  6:11:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-23 10:11:28

Pre-Run: 6,760,689,664 bytes free
Post-Run: 7,239,778,304 bytes free

294   --- E O F ---   2008-07-23 10:08:37
Logged

I can't write my signiture on the computer screen so i'll just use this.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: July 23, 2008, 11:05:22 AM »


Before we can carry on with your cleanup we need to install your Recovery Console.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.












Logged

An Australian Member of

EDDY
kidigi2lx
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 24


Bookmark and Share

View Profile
« Reply #5 on: July 28, 2008, 06:08:14 PM »

Ok Pancake,

Recovery Console has been installed. Here is new combofix report below



ComboFix 08-07-27.6 - Jovann Easter 2008-07-28 13:13:30.2 - NTFSx86
Running from: C:\Documents and Settings\Jovann Easter\Desktop\ComboFix3.exe
Command switches used :: C:\Documents and Settings\Jovann Easter\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU(2).exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jovann Easter\Application Data\macromedia\Flash Player\#SharedObjects\6Q6YDCGS\interclick.com
C:\Documents and Settings\Jovann Easter\Application Data\macromedia\Flash Player\#SharedObjects\6Q6YDCGS\interclick.com\ud.sol
C:\Documents and Settings\Jovann Easter\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jovann Easter\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
(((((((((((((((((((((((((   Files Created from 2008-06-28 to 2008-07-28  )))))))))))))))))))))))))))))))
.

2008-07-23 03:34 . 2008-07-23 03:34   94,848   --a------   C:\WINDOWS\system32\qxaccxbk.dll
2008-07-23 03:34 . 2008-07-23 03:34   294   --ahs----   C:\WINDOWS\system32\kbxccaxq.ini
2008-07-21 21:49 . 2008-07-21 21:49   110,080   --a------   C:\WINDOWS\system32\arnsaewf.exe
2008-07-20 21:36 . 2008-07-20 21:36   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-20 14:50 . 2008-07-20 14:50   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-07-20 13:32 . 2008-07-20 13:32   <DIR>   d--------   C:\Documents and Settings\Rhody Guzman\Application Data\Yahoo!
2008-07-20 13:29 . 2008-07-20 13:29   <DIR>   d--------   C:\Documents and Settings\Rhody Guzman\Application Data\TmpRecentIcons
2008-07-20 12:57 . 2008-07-20 04:05   98,304   --a------   C:\WINDOWS\agpqlrfm.exe
2008-07-20 12:55 . 2008-07-20 12:55   65,536   ---hs----   C:\Documents and Settings\Jovann Easter\MediaTubeCodec_ver1.1463.0.exe
2008-06-29 20:52 . 2008-07-21 23:05   <DIR>   d--------   C:\Documents and Settings\Jovann Easter\Application Data\Apple Computer
2008-06-29 20:51 . 2008-06-29 20:52   <DIR>   d--------   C:\Program Files\iTunes
2008-06-29 20:51 . 2008-06-29 20:51   <DIR>   d--------   C:\Program Files\iPod
2008-06-29 20:50 . 2008-06-29 20:50   <DIR>   d--------   C:\Program Files\Bonjour
2008-06-29 20:47 . 2008-06-29 20:49   <DIR>   d--------   C:\Program Files\QuickTime
2008-06-29 20:46 . 2008-06-29 20:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-29 20:44 . 2008-06-29 20:44   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-06-29 20:42 . 2008-06-29 20:42   <DIR>   d--------   C:\Program Files\Common Files\Apple
2008-06-29 20:42 . 2008-06-29 20:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 17:13   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\DNA
2008-07-24 22:43   256   ----a-w   C:\Documents and Settings\Jovann Easter\pool.bin
2008-07-24 22:42   ---------   d-----w   C:\Program Files\Plaxo
2008-07-20 23:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 18:57   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-06-30 02:40   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 23:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Tenebril
2008-06-14 23:37   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\Yahoo!
2008-06-14 23:37   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-13 13:10   272,128   ----a-w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 21:59   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\BitTorrent
2008-06-01 15:24   ---------   d-----w   C:\Program Files\DNA
2008-06-01 15:24   ---------   d-----w   C:\Program Files\BitTorrent
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-04-29 17:14   208,896   ----a-w   C:\WINDOWS\system32\ConTest.dll
2007-10-13 13:51   34,568   -c--a-w   C:\Documents and Settings\Jovann Easter\Application Data\GDIPFONTCACHEV1.DAT
2005-06-29 18:21   9,883   -c--a-w   C:\Program Files\hijackthis.log
2005-02-16 15:06   218,112   -c--a-w   C:\Program Files\HijackThis.exe
2002-04-11 18:44   12,920   -c--a-w   C:\Program Files\Revision.txt
2002-04-11 18:43   55,279   -c--a-w   C:\Program Files\Delta.inf
2002-04-11 18:34   487,665   -c--a-w   C:\Program Files\deltapnl.ex_
2002-04-11 18:32   320,896   -c--a-w   C:\Program Files\delta.sys
2002-04-02 18:23   139,264   -c--a-w   C:\Program Files\DeltaUninstaller.exe
2002-04-02 18:22   24,576   -c--a-w   C:\Program Files\DeltTray.exe
2002-02-20 22:22   86,016   -c--a-w   C:\Program Files\delteasi.dll
2002-02-20 22:21   90,112   -c--a-w   C:\Program Files\deltasio.dll
2000-08-21 16:04   32,768   -c--a-w   C:\Program Files\DELTACPL.CPL
2004-08-04 07:56   73,728   -csha-w   C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

(((((((((((((((((((((((((((((   snapshot@2008-07-23_ 6.10.07.37   )))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe" [2008-04-14 17:36 227914]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2007-03-08 15:53 1320472]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-01 11:24 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 19:02 122880]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 22:50 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 12:00 245760]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" [2003-08-21 19:10 180224]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39 147456]
"HostManager"="C:\Program Files\Common Files\AOL\1127536827\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20 212992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 01:45 185896]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\DeltTray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 10:15]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 MDX3LDR;Midex 3 - Firmware Loader;C:\WINDOWS\system32\Drivers\mdx3ldr.sys [2002-04-22 14:56]
S3 MIDEX3;Midex 3 - USB Midi Driver;C:\WINDOWS\system32\drivers\midex3.sys [2002-05-17 18:09]
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Jovann Easter).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2003-08-21 19:10]

2008-07-28 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Jovann Easter).job
- C:\PROGRA~1\McAfee.com\Agent [2007-04-19 14:58]

2008-07-28 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Rhody Guzman).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2003-08-21 19:10]

2008-07-28 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Rhody Guzman).job
- C:\PROGRA~1\McAfee.com\Agent [2007-04-19 14:58]

2008-02-23 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- C:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-11-21 21:08]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = 169.254.64.175:7212
R1 -: HKCU-Internet Settings,ProxyOverride = ;*.local;<local>
O8 -: Download all by Free Download Manager - file://E:\Free Download Manager\dlall.htm
O8 -: Download by Free Download Manager - file://E:\Free Download Manager\dllink.htm
O8 -: Download selected by Free Download Manager - file://E:\Free Download Manager\dlselected.htm
O8 -: Download web site by Free Download Manager - file://E:\Free Download Manager\dlpage.htm
O8 -: E&xport to Microsoft Excel - F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm

O16 -: {1A1F0774-EDE6-4255-A411-B2A730D6A6DD} - hxxp://www.bravaviewer.com/install/bravareader/setup.exe
C:\WINDOWS\Downloaded Program Files\setup.exe

 - C:\WINDOWS\Downloaded Program Files\RhapX.inf

O16 -: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
C:\WINDOWS\Downloaded Program Files\weblaunch.inf
C:\WINDOWS\System32\weblaunch.ocx

O16 -: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} - hxxp://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
C:\WINDOWS\Downloaded Program Files\DVCDownloaderControl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 13:20:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-07-28 13:24:41
ComboFix-quarantined-files.txt  2008-07-28 17:24:00
ComboFix2.txt  2008-07-23 10:11:40

Pre-Run: 7,801,925,632 bytes free
Post-Run: 7,771,942,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU(2).exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

196   --- E O F ---   2008-07-28 07:01:28
Logged

I can't write my signiture on the computer screen so i'll just use this.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: July 28, 2008, 11:12:15 PM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote



File::
C:\WINDOWS\system32\qxaccxbk.dll
 C:\WINDOWS\system32\kbxccaxq.ini
 C:\WINDOWS\system32\arnsaewf.exe




 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
kidigi2lx
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 24


Bookmark and Share

View Profile
« Reply #7 on: July 29, 2008, 02:35:20 AM »

Thanks Pancake. Below is the HijackThis File

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Common Files\AOL\1127536827\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Updater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
c:\program files\common files\aol\1127536827\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\program files\common files\aol\1127536827\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1127536827\ee\anotify.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.64.175:7212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo!
Logged

I can't write my signiture on the computer screen so i'll just use this.
kidigi2lx
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 24


Bookmark and Share

View Profile
« Reply #8 on: July 29, 2008, 02:36:35 AM »

Here is the updated ComboxFix File.


ComboFix 08-07-27.6 - Jovann Easter 2008-07-28 21:55:43.3 - NTFSx86
Running from: C:\Documents and Settings\Jovann Easter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jovann Easter\Desktop\cfscript.txt
 * Created a new restore point

FILE ::
C:\WINDOWS\system32\arnsaewf.exe
C:\WINDOWS\system32\kbxccaxq.ini
C:\WINDOWS\system32\qxaccxbk.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\arnsaewf.exe
C:\WINDOWS\system32\kbxccaxq.ini
C:\WINDOWS\system32\qxaccxbk.dll

.
(((((((((((((((((((((((((   Files Created from 2008-06-28 to 2008-07-29  )))))))))))))))))))))))))))))))
.

2008-07-20 21:36 . 2008-07-20 21:36   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-20 14:50 . 2008-07-20 14:50   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-07-20 13:32 . 2008-07-20 13:32   <DIR>   d--------   C:\Documents and Settings\Rhody Guzman\Application Data\Yahoo!
2008-07-20 13:29 . 2008-07-20 13:29   <DIR>   d--------   C:\Documents and Settings\Rhody Guzman\Application Data\TmpRecentIcons
2008-07-20 12:57 . 2008-07-20 04:05   98,304   --a------   C:\WINDOWS\agpqlrfm.exe
2008-07-20 12:55 . 2008-07-20 12:55   65,536   ---hs----   C:\Documents and Settings\Jovann Easter\MediaTubeCodec_ver1.1463.0.exe
2008-06-29 20:52 . 2008-07-21 23:05   <DIR>   d--------   C:\Documents and Settings\Jovann Easter\Application Data\Apple Computer
2008-06-29 20:51 . 2008-06-29 20:52   <DIR>   d--------   C:\Program Files\iTunes
2008-06-29 20:51 . 2008-06-29 20:51   <DIR>   d--------   C:\Program Files\iPod
2008-06-29 20:50 . 2008-06-29 20:50   <DIR>   d--------   C:\Program Files\Bonjour
2008-06-29 20:47 . 2008-06-29 20:49   <DIR>   d--------   C:\Program Files\QuickTime
2008-06-29 20:46 . 2008-06-29 20:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-29 20:44 . 2008-06-29 20:44   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-06-29 20:42 . 2008-06-29 20:42   <DIR>   d--------   C:\Program Files\Common Files\Apple
2008-06-29 20:42 . 2008-06-29 20:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 01:55   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\DNA
2008-07-28 17:54   256   ----a-w   C:\Documents and Settings\Jovann Easter\pool.bin
2008-07-28 17:54   ---------   d-----w   C:\Program Files\Plaxo
2008-07-20 23:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 18:57   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-06-30 02:40   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 23:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Tenebril
2008-06-14 23:37   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\Yahoo!
2008-06-14 23:37   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-13 13:10   272,128   ----a-w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 21:59   ---------   d-----w   C:\Documents and Settings\Jovann Easter\Application Data\BitTorrent
2008-06-01 15:24   ---------   d-----w   C:\Program Files\DNA
2008-06-01 15:24   ---------   d-----w   C:\Program Files\BitTorrent
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-04-29 17:14   208,896   ----a-w   C:\WINDOWS\system32\ConTest.dll
2007-10-13 13:51   34,568   -c--a-w   C:\Documents and Settings\Jovann Easter\Application Data\GDIPFONTCACHEV1.DAT
2005-06-29 18:21   9,883   -c--a-w   C:\Program Files\hijackthis.log
2005-02-16 15:06   218,112   -c--a-w   C:\Program Files\HijackThis.exe
2002-04-11 18:44   12,920   -c--a-w   C:\Program Files\Revision.txt
2002-04-11 18:43   55,279   -c--a-w   C:\Program Files\Delta.inf
2002-04-11 18:34   487,665   -c--a-w   C:\Program Files\deltapnl.ex_
2002-04-11 18:32   320,896   -c--a-w   C:\Program Files\delta.sys
2002-04-02 18:23   139,264   -c--a-w   C:\Program Files\DeltaUninstaller.exe
2002-04-02 18:22   24,576   -c--a-w   C:\Program Files\DeltTray.exe
2002-02-20 22:22   86,016   -c--a-w   C:\Program Files\delteasi.dll
2002-02-20 22:21   90,112   -c--a-w   C:\Program Files\deltasio.dll
2000-08-21 16:04   32,768   -c--a-w   C:\Program Files\DELTACPL.CPL
2004-08-04 07:56   73,728   -csha-w   C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe" [2008-04-14 17:36 227914]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2007-03-08 15:53 1320472]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-01 11:24 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 19:02 122880]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 22:50 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 12:00 245760]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" [2003-08-21 19:10 180224]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39 147456]
"HostManager"="C:\Program Files\Common Files\AOL\1127536827\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20 212992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 01:45 185896]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\DeltTray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
R3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
R3 MDX3LDR;Midex 3 - Firmware Loader;C:\WINDOWS\system32\Drivers\mdx3ldr.sys [2002-04-22 14:56]
R3 MIDEX3;Midex 3 - USB Midi Driver;C:\WINDOWS\system32\drivers\midex3.sys [2002-05-17 18:09]
R4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.syS []
R4 LMIRfsClientNP;LMIRfsClientNP;C:\WINDOWS\system32\DRIVERS\LMIRfsClientNP.syS []
S1 Asapi;Asapi;C:\WINDOWS\system32\DRIVERS\Asapi.syS [2002-04-17 20:27]
S1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 10:15]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]

.
Contents of the 'Scheduled Tasks' folder

2008-07-29 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Jovann Easter).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2003-08-21 19:10]

2008-07-29 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Jovann Easter).job
- C:\PROGRA~1\McAfee.com\Agent [2007-04-19 14:58]

2008-07-29 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Rhody Guzman).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2003-08-21 19:10]

2008-07-29 C:\WINDOWS\Tasks\McAfee.com Update Check (JOVANN-9NNDT3BQ-Rhody Guzman).job
- C:\PROGRA~1\McAfee.com\Agent [2007-04-19 14:58]

2008-02-23 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- C:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-11-21 21:08]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 21:58:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-07-28 22:04:00
ComboFix-quarantined-files.txt  2008-07-29 02:03:36
ComboFix2.txt  2008-07-28 17:24:44
ComboFix3.txt  2008-07-23 10:11:40

Pre-Run: 7,774,330,880 bytes free
Post-Run: 7,761,383,424 bytes free

166   --- E O F ---   2008-07-28 07:01:28
Logged

I can't write my signiture on the computer screen so i'll just use this.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: July 29, 2008, 03:23:10 AM »

Ok thats good.You should be fine now..

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box  and click OK.



ComboFix /u





=============================



Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.

Download and scan with CCleaner from http://www.ccleaner.com/downloadbuilds.asp

1. Starting with v1.27.260, http://www.ccleaner.com/downloadbuilds.asp installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page May 30, 2018, 10:20:31 PM