Tech Support Forum - View Single Post

islandtech · 10-02-2007, 01:01 PM

Ok, I did everything you told me along with submitting the file from ComboFix. Here are all the log files:

FRESH HIJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:09 AM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\***\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = linsky_SES_14810
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

--
End of file - 3163 bytes

ONLINE SCAN:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 02, 2007 11:57:26 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 2/10/2007
Kaspersky Anti-Virus database records: 426392
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 17760
Number of viruses found: 19
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 00:48:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\***\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\***\Desktop\backups\backup-20021106-054745-879.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped
C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\***\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\***\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\***\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\***\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oembios32.dll.vir Infected: Trojan-Downloader.Win32.VB.bkb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP10\A0001849.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP12\A0001991.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002087.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002088.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002096.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002098.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002099.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002100.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002101.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002102.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002103.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002104.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002105.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002106.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002107.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002108.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002109.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002110.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002112.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002113.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002115.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002117.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002118.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002119.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002121.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002122.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002123.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002124.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002224.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002225.exe Infected: not-a-virus:AdWare.Win32.OneStep.b skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002227.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002228.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002229.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002230.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002263.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002280.exe Object is locked skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP18\A0002343.exe Object is locked skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP23\A0002541.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP36\A0004800.exe Object is locked skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP37\A0004822.exe Object is locked skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP37\A0004833.exe Object is locked skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP37\A0004838.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP38\A0004904.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP4\A0000150.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP40\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

COMBOFIX:
ComboFix 07-10-02.2 - *** 2007-10-02 10:36:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.93 [GMT -7:00]
Running from: C:\Documents and Settings\***\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\***\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ace16win.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\winh32.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-09-30 21:26 <DIR> d-------- C:\Inetpub
2007-09-30 18:06 505,984 --a------ C:\WINDOWS\system32\Mrvw243.sys
2007-09-30 18:06 505,984 --a------ C:\WINDOWS\system32\drivers\Mrvw243.sys
2007-09-30 18:06 489,216 --a------ C:\WINDOWS\system32\Mrvw245.sys
2007-09-30 18:06 489,216 --a------ C:\WINDOWS\system32\drivers\MRVW245.sys
2007-09-30 18:05 <DIR> d-------- C:\Program Files\Linksys
2007-09-30 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-30 17:42 <DIR> d-------- C:\Documents and Settings\***\Application Data\Apple Computer
2007-09-30 17:38 <DIR> d-------- C:\Program Files\ICQLite
2007-09-30 15:36 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2007-09-29 22:53 <DIR> d-------- C:\Documents and Settings\***\Application Data\AOL
2007-09-29 22:50 <DIR> d-------- C:\Program Files\Common Files\aolback
2007-09-29 22:50 <DIR> d-------- C:\MAV
2007-09-29 22:50 <DIR> d-------- C:\aolextras
2007-09-29 22:49 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-09-29 22:49 <DIR> d-------- C:\Documents and Settings\***\Application Data\You've Got Pictures Screensaver
2007-09-29 22:48 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-09-29 22:48 <DIR> d-------- C:\Program Files\QuickTime
2007-09-29 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-09-29 22:47 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2007-09-29 22:47 <DIR> d-------- C:\Program Files\Real
2007-09-29 22:47 <DIR> d-------- C:\Program Files\Common Files\Real
2007-09-29 22:47 <DIR> d-------- C:\My Music
2007-09-29 22:46 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2007-09-29 22:46 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2007-09-29 22:46 <DIR> d-------- C:\Program Files\Pure Networks
2007-09-29 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-09-29 22:44 335 --a------ C:\WINDOWS\nsreg.dat
2007-09-29 22:44 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-29 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-29 22:43 <DIR> d--h----- C:\TEMP
2007-09-29 22:35 <DIR> d-------- C:\Program Files\VideoProfessor
2007-09-29 22:17 <DIR> d-------- C:\Documents and Settings\***\Application Data\Help
2007-09-29 22:06 <DIR> d-------- C:\Acrobat3
2007-09-29 22:05 298,496 --a------ C:\WINDOWS\uninst.exe
2007-09-29 22:05 <DIR> d-------- C:\Program Files\Davidson's Learning Center
2007-09-29 22:05 <DIR> d-------- C:\Documents and Settings\***\WINDOWS
2007-09-29 11:11 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-29 11:11 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-29 10:55 <DIR> d-------- C:\WINDOWS\system32\msmq
2007-09-26 14:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-26 14:24 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-25 22:27 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-09-25 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-24 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-23 12:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-23 11:57 <DIR> d-------- C:\Documents and Settings\***\Application Data\Leadertech
2007-09-23 10:22 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-22 21:53 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-09-21 04:37 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-09-21 04:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-09-19 14:57 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-19 14:57 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-17 17:50 <DIR> d---s---- C:\Documents and Settings\***\UserData
2007-09-17 17:49 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-17 17:49 <DIR> d-------- C:\Documents and Settings\***\Application Data\Yahoo!
2007-09-17 17:48 <DIR> d-------- C:\WINDOWS\cache
2007-09-17 17:23 <DIR> d-------- C:\Documents and Settings\***\Application Data\Google
2007-09-17 17:21 <DIR> d-------- C:\Program Files\Google
2007-09-17 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-17 16:18 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-09-17 16:18 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\Documents and Settings\***\WINDOWS ----

C:\Documents and Settings\***\WINDOWS\

---- Directory of C:\WINDOWS\system32\msmq ----

2007-09-30 21:36 36 --a------ C:\WINDOWS\system32\msmq\storage\MQTrans.lg1
2007-09-30 21:36 12 --a------ C:\WINDOWS\system32\msmq\storage\MQInSeqs.lg1
2007-09-30 21:22 36 --a------ C:\WINDOWS\system32\msmq\storage\MQTrans.lg2
2007-09-30 21:22 12 --a------ C:\WINDOWS\system32\msmq\storage\MQInSeqs.lg2
2007-09-29 10:55 934 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000010.b2b96bd6
2007-09-29 10:55 811 --a------ C:\WINDOWS\system32\msmq\mapping\sample_map.xml
2007-09-29 10:55 6291456 --a------ C:\WINDOWS\system32\msmq\storage\QMLog
2007-09-29 10:55 1158 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000005.9e2ce5a7
2007-09-29 10:55 1138 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000003.6ab7c4b8
2007-09-29 10:55 1134 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000004.4c1eb11b
2007-09-29 10:55 1134 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000002.990736e8
2007-09-29 10:55 1130 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000001.62ef0279

((((((((((((((((((((((((((((( snapshot@2007-10-02_ 6.06.50.95 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-28 16

08 C:\WINDOWS\catchme.exe
----a-w 51,200 2007-06-17 07:11:58 C:\WINDOWS\NirCmd.exe
----a-w 163,328 2007-03-13 17:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE
----a-w 40,922 2002-11-06 07:09:46 C:\WINDOWS\system32\perfc009.dat
----a-w 316,368 2002-11-06 07:09:46 C:\WINDOWS\system32\perfh009.dat
----a-w 844,800 2007-07-23 01:39:27 C:\WINDOWS\system32\swreg.exe
.
----a-w 135,168 2007-09-28 17

08 C:\WINDOWS\catchme.exe
----a-w 51,200 2007-06-17 08:11:58 C:\WINDOWS\NirCmd.exe
----a-w 163,328 2007-03-13 18:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE
----a-w 40,922 2002-11-06 07:04:56 C:\WINDOWS\system32\perfc009.dat
----a-w 316,368 2002-11-06 07:04:56 C:\WINDOWS\system32\perfh009.dat
----a-w 844,800 2007-07-23 02:39:27 C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-09-29 22:47]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2002-11-06 00:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
regsvr32 /s mqrt.dll

R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe"
R3 DLH5X;D-Link DL10050 based Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\DLH5XND5.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys
R3 SiS300i;SiS300i;C:\WINDOWS\system32\DRIVERS\sis300ip.sys
R3 SiS7018;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\ac97sis.sys
S2 EGNHOLYT;EGNHOLYT;\??\C:\WINDOWS\system32\egnholyt.kyf
S2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
S2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 10:44:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 10:48:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 10:47
C:\ComboFix2.txt ... 2007-10-02 06:08
.
--- E O F ---

10-02-2007, 01:01 PM	#10 (permalink)
islandtech Registered User Join Date: Oct 2007 Posts: 8 OS: Win XP SP2	Re: Spyware Problems... HELP! Ok, I did everything you told me along with submitting the file from ComboFix. Here are all the log files: FRESH HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:59:09 AM, on 10/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys\WUSB300N\WLService.exe C:\Program Files\Linksys\WUSB300N\WUSB300N.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\*\Desktop\HiJackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = linsky_SES_14810 O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe -- End of file - 3163 bytes ONLINE SCAN: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, October 02, 2007 11:57:26 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.1 Kaspersky Anti-Virus database last update: 2/10/2007 Kaspersky Anti-Virus database records: 426392 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: false Scan Mail Bases: false Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 17760 Number of viruses found: 19 Number of infected objects: 41 Number of suspicious objects: 0 Duration of the scan process: 00:48:44 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\\Cookies\index.dat Object is locked skipped C:\Documents and Settings\\Desktop\backups\backup-20021106-054745-879.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped C:\Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\\NTUSER.DAT Object is locked skipped C:\Documents and Settings\\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\qoobox\Quarantine\C\WINDOWS\system32\oembios32.dll.vir Infected: Trojan-Downloader.Win32.VB.bkb skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP10\A0001849.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP12\A0001991.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002087.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002088.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002096.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002098.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002099.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002100.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002101.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002102.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002103.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002104.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002105.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002106.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002107.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002108.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002109.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002110.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002112.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002113.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002115.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002117.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002118.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002119.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002121.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002122.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002123.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP15\A0002124.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002224.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002225.exe Infected: not-a-virus:AdWare.Win32.OneStep.b skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002227.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002228.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002229.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002230.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002263.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP16\A0002280.exe Object is locked skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP18\A0002343.exe Object is locked skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP23\A0002541.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP36\A0004800.exe Object is locked skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP37\A0004822.exe Object is locked skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP37\A0004833.exe Object is locked skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP37\A0004838.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP38\A0004904.dll Infected: Trojan-Downloader.Win32.VB.bkb skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP4\A0000150.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped C:\System Volume Information\_restore{F7A064C5-293B-412B-A8B1-322EA6FA3B74}\RP40\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. COMBOFIX: ComboFix 07-10-02.2 - * 2007-10-02 10:36:49.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.93 [GMT -7:00] Running from: C:\Documents and Settings\*\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\\Desktop\CFScript.txt Created a new restore point FILE:: C:\WINDOWS\system32\ace16win.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ace16win.dll C:\WINDOWS\system32\acespy C:\WINDOWS\system32\acespy\__acelog.ndx C:\WINDOWS\system32\acespy\systune.exe C:\WINDOWS\winh32.exe . ((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 ))))))))))))))))))))))))))))))) . 2007-09-30 21:26 <DIR> d-------- C:\Inetpub 2007-09-30 18:06 505,984 --a------ C:\WINDOWS\system32\Mrvw243.sys 2007-09-30 18:06 505,984 --a------ C:\WINDOWS\system32\drivers\Mrvw243.sys 2007-09-30 18:06 489,216 --a------ C:\WINDOWS\system32\Mrvw245.sys 2007-09-30 18:06 489,216 --a------ C:\WINDOWS\system32\drivers\MRVW245.sys 2007-09-30 18:05 <DIR> d-------- C:\Program Files\Linksys 2007-09-30 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com 2007-09-30 17:42 <DIR> d-------- C:\Documents and Settings\*\Application Data\Apple Computer 2007-09-30 17:38 <DIR> d-------- C:\Program Files\ICQLite 2007-09-30 15:36 <DIR> d-------- C:\WINDOWS\system32\Logfiles 2007-09-29 22:53 <DIR> d-------- C:\Documents and Settings\\Application Data\AOL 2007-09-29 22:50 <DIR> d-------- C:\Program Files\Common Files\aolback 2007-09-29 22:50 <DIR> d-------- C:\MAV 2007-09-29 22:50 <DIR> d-------- C:\aolextras 2007-09-29 22:49 <DIR> d-------- C:\Program Files\Common Files\Nullsoft 2007-09-29 22:49 <DIR> d-------- C:\Documents and Settings\\Application Data\You've Got Pictures Screensaver 2007-09-29 22:48 86,016 --a------ C:\WINDOWS\unvise32qt.exe 2007-09-29 22:48 <DIR> d-------- C:\Program Files\QuickTime 2007-09-29 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime 2007-09-29 22:47 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys 2007-09-29 22:47 <DIR> d-------- C:\Program Files\Real 2007-09-29 22:47 <DIR> d-------- C:\Program Files\Common Files\Real 2007-09-29 22:47 <DIR> d-------- C:\My Music 2007-09-29 22:46 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll 2007-09-29 22:46 10,752 --a------ C:\WINDOWS\system32\aamd532.dll 2007-09-29 22:46 <DIR> d-------- C:\Program Files\Pure Networks 2007-09-29 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks 2007-09-29 22:44 335 --a------ C:\WINDOWS\nsreg.dat 2007-09-29 22:44 <DIR> d-------- C:\Program Files\Common Files\AOL 2007-09-29 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2007-09-29 22:43 <DIR> d--h----- C:\TEMP 2007-09-29 22:35 <DIR> d-------- C:\Program Files\VideoProfessor 2007-09-29 22:17 <DIR> d-------- C:\Documents and Settings\\Application Data\Help 2007-09-29 22:06 <DIR> d-------- C:\Acrobat3 2007-09-29 22:05 298,496 --a------ C:\WINDOWS\uninst.exe 2007-09-29 22:05 <DIR> d-------- C:\Program Files\Davidson's Learning Center 2007-09-29 22:05 <DIR> d-------- C:\Documents and Settings\\WINDOWS 2007-09-29 11:11 <DIR> d--h----- C:\Program Files\InstallShield Installation Information 2007-09-29 11:11 <DIR> d-------- C:\Program Files\Common Files\InstallShield 2007-09-29 10:55 <DIR> d-------- C:\WINDOWS\system32\msmq 2007-09-26 14:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-09-26 14:24 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-09-25 22:27 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-09-25 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-09-24 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx 2007-09-23 12:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-09-23 11:57 <DIR> d-------- C:\Documents and Settings\\Application Data\Leadertech 2007-09-23 10:22 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-09-22 21:53 <DIR> d-------- C:\Program Files\The Weather Channel FW 2007-09-21 04:37 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-09-21 04:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-09-19 14:57 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-09-19 14:57 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-09-17 17:50 <DIR> d---s---- C:\Documents and Settings\\UserData 2007-09-17 17:49 <DIR> d-------- C:\Program Files\Yahoo! 2007-09-17 17:49 <DIR> d-------- C:\Documents and Settings\\Application Data\Yahoo! 2007-09-17 17:48 <DIR> d-------- C:\WINDOWS\cache 2007-09-17 17:23 <DIR> d-------- C:\Documents and Settings\\Application Data\Google 2007-09-17 17:21 <DIR> d-------- C:\Program Files\Google 2007-09-17 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-09-17 16:18 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll 2007-09-17 16:18 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ---- Directory of C:\Documents and Settings\\WINDOWS ---- C:\Documents and Settings\*\WINDOWS\ ---- Directory of C:\WINDOWS\system32\msmq ---- 2007-09-30 21:36 36 --a------ C:\WINDOWS\system32\msmq\storage\MQTrans.lg1 2007-09-30 21:36 12 --a------ C:\WINDOWS\system32\msmq\storage\MQInSeqs.lg1 2007-09-30 21:22 36 --a------ C:\WINDOWS\system32\msmq\storage\MQTrans.lg2 2007-09-30 21:22 12 --a------ C:\WINDOWS\system32\msmq\storage\MQInSeqs.lg2 2007-09-29 10:55 934 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000010.b2b96bd6 2007-09-29 10:55 811 --a------ C:\WINDOWS\system32\msmq\mapping\sample_map.xml 2007-09-29 10:55 6291456 --a------ C:\WINDOWS\system32\msmq\storage\QMLog 2007-09-29 10:55 1158 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000005.9e2ce5a7 2007-09-29 10:55 1138 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000003.6ab7c4b8 2007-09-29 10:55 1134 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000004.4c1eb11b 2007-09-29 10:55 1134 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000002.990736e8 2007-09-29 10:55 1130 --a------ C:\WINDOWS\system32\msmq\storage\lqs\00000001.62ef0279 ((((((((((((((((((((((((((((( snapshot@2007-10-02_ 6.06.50.95 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 135,168 2007-09-28 1608 C:\WINDOWS\catchme.exe ----a-w 51,200 2007-06-17 07:11:58 C:\WINDOWS\NirCmd.exe ----a-w 163,328 2007-03-13 17:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE ----a-w 40,922 2002-11-06 07:09:46 C:\WINDOWS\system32\perfc009.dat ----a-w 316,368 2002-11-06 07:09:46 C:\WINDOWS\system32\perfh009.dat ----a-w 844,800 2007-07-23 01:39:27 C:\WINDOWS\system32\swreg.exe . ----a-w 135,168 2007-09-28 1708 C:\WINDOWS\catchme.exe ----a-w 51,200 2007-06-17 08:11:58 C:\WINDOWS\NirCmd.exe ----a-w 163,328 2007-03-13 18:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE ----a-w 40,922 2002-11-06 07:04:56 C:\WINDOWS\system32\perfc009.dat ----a-w 316,368 2002-11-06 07:04:56 C:\WINDOWS\system32\perfh009.dat ----a-w 844,800 2007-07-23 02:39:27 C:\WINDOWS\system32\swreg.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-09-29 22:47] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2002-11-06 00:29] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] regsvr32 /s mqrt.dll R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" R3 DLH5X;D-Link DL10050 based Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\DLH5XND5.sys R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys R3 SiS300i;SiS300i;C:\WINDOWS\system32\DRIVERS\sis300ip.sys R3 SiS7018;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\ac97sis.sys S2 EGNHOLYT;EGNHOLYT;\??\C:\WINDOWS\system32\egnholyt.kyf S2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe S2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-02 10:44:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-02 10:48:11 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-02 10:47 C:\ComboFix2.txt ... 2007-10-02 06:08 . --- E O F ---