Tech Support Forum - View Single Post - Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner

BunnMan · 01-21-2008, 06:32 AM

OK, after ComboFix finished it will now run HiJackThis as well. here's the ComboFix log. :

ComboFix 08-01-20.1 - Daddy 2008-01-21 5:58:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -5:00]
Running from: C:\Documents and Settings\Daddy\Desktop\Comb.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\BEEP.SYS
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Daddy\Application Data\printer.exe
C:\Documents and Settings\Daddy\g2mdlhlpx.exe
C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\FunWebProducts
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe
C:\WINDOWS\murka.dat
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\suspend.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\trayicon.exe
C:\WINDOWS\windsk.dll
C:\WINDOWS\wsystmp_fpf.exe
C:\WINDOWS\wsystmp_vss.exe
C:\WINDOWS\wsystmp_vxj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\nm

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 05:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 17:51 . 2008-01-15 17:51 <DIR> d-------- C:\Deckard
2008-01-15 17:38 . 2008-01-15 17:45 <DIR> d-------- C:\ie-spyad_zo
2008-01-15 17:31 . 2008-01-15 17:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-15 16:57 . 2008-01-15 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 16:49 . 2008-01-19 08:11 16,384 --a------ C:\WINDOWS\SYSTEM32\nod32se.exe
2008-01-15 16:25 . 2008-01-15 16:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-14 17:10 . 2008-01-14 17:10 <DIR> d-------- C:\Documents and Settings\Daddy\Application Data\InfeStop.com
2008-01-14 17:09 . 2008-01-14 17:10 <DIR> d-------- C:\Program Files\InfeStop
2008-01-14 14:00 . 2008-01-14 14:00 <DIR> d-------- C:\Program Files\Spy-Rid
2008-01-14 14:00 . 2008-01-14 14:00 <DIR> d-------- C:\Documents and Settings\Daddy\Application Data\spy-rid.com
2008-01-14 13:55 . 2008-01-14 13:55 <DIR> d-------- C:\Program Files\SystemDefender
2008-01-14 13:55 . 2005-05-15 01:05 98,709 --a------ C:\Documents and Settings\Daddy\Application Data\sysdefender.exe
2008-01-14 13:39 . 2008-01-19 08:11 80 --a------ C:\WINDOWS\SYSTEM32\suspend.bin
2008-01-14 13:21 . 2008-01-14 13:21 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-14 13:21 . 2008-01-14 13:21 <DIR> d-------- C:\Documents and Settings\Daddy\Application Data\EasySpywareCleaner.com
2008-01-14 11:47 . 2008-01-20 11:33 16,384 --a------ C:\WINDOWS\SYSTEM32\userv32.dat
2008-01-14 11:22 . 2008-01-15 14:41 18,944 --a------ C:\WINDOWS\SYSTEM32\wowfx(2).dll
2008-01-14 11:04 . 2008-01-14 11:04 34,049 --a------ C:\Documents and Settings\Daddy\wn852.exe
2008-01-03 20:05 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-01-03 20:05 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2007-12-25 08:10 . 2008-01-14 11:46 <DIR> d-------- C:\Program Files\iTunes
2007-12-25 08:10 . 2007-12-25 08:10 <DIR> d-------- C:\Program Files\iPod
2007-12-25 08:00 . 2008-01-14 11:46 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 07:57 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 00:11 --------- d-----w C:\Program Files\Quicken
2008-01-18 09:44 --------- d-----w C:\Program Files\PurgeIE
2008-01-15 22:13 --------- d-----w C:\Program Files\Trend Micro
2008-01-15 21:40 --------- d-----w C:\Program Files\Yahoo!
2008-01-15 21:40 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-14 16:44 90,112 ----a-w C:\WINDOWS\updreg.exe
2007-12-30 20:01 --------- d-----w C:\Program Files\RealFlightG3
2007-12-25 12:58 --------- d-----w C:\Program Files\Apple Software Update
2007-12-16 16:23 --------- d-----w C:\Program Files\Common Files\KnifeEdge
2007-12-15 20:52 --------- d-----w C:\Program Files\Napster
2007-12-15 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-04 10:28 36,992 -c--a-w C:\Documents and Settings\Daddy\Application Data\GDIPFONTCACHEV1.DAT
2007-02-22 21:40 630,784 -c--a-w C:\Documents and Settings\Daddy\GoToAssist_chat2way__317_en.exe
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2005-11-18 16:56 399,748 -csha-w C:\WINDOWS\SYSTEM32\ghhkj.bak1
2005-11-20 16:56 435,932 -csha-w C:\WINDOWS\SYSTEM32\ghhkj.bak2
.
Files Infected - Win32.Agent.zb
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Auto EPSON Stylus C64 Series on DADSOLD"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe" [2008-01-14 11:44 99840]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2008-01-14 11:44 90112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-14 11:44 49152]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2008-01-14 11:44 57344]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-14 11:44 339968]
"EPSON Stylus C64 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe" [2008-01-14 11:44 99840]
"EPSON PictureMate Deluxe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2008-01-14 11:44 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-14 11:44 8720384]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-08-22 17:21 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-12 23:53:19 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-05-29 10:30:02 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-08-22 17:21 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=C:\WINDOWS\pss\Epson printer Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2008-01-14 11:44 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-01-14 11:44 421888 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2004-09-15 02:01 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a--c--- 2006-07-14 15:36 107008 C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-14 11:44 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a--c--- 2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 12:51 60928 C:\WINDOWS\SYSTEM32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a--c--- 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-14 11:44 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2006-06-17 12:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\samycanu]
C:\Program Files\Messenger\samycanu22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
C:\WINDOWS\system32\ihxkhqww.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-06-17 12:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{79-94-4C-C9-ZN}]
C:\windows\system32\lsdsrngr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LexBceS"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder
"2008-01-19 16:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-18 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (BUNNMAN-Daddy).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 06:05:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
Completion time: 2008-01-21 6:10:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 11:10:38
.
2007-12-19 08:01:28 --- E O F ---

01-21-2008, 06:32 AM	#22 (permalink)
BunnMan Registered User Join Date: Jan 2008 Posts: 30 OS: Windows XP Home SP2 V.5.1	Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner OK, after ComboFix finished it will now run HiJackThis as well. here's the ComboFix log. : ComboFix 08-01-20.1 - Daddy 2008-01-21 5:58:12.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -5:00] Running from: C:\Documents and Settings\Daddy\Desktop\Comb.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\dllcache\beep.sys C:\WINDOWS\system32\drivers\BEEP.SYS C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe C:\Documents and Settings\Daddy\Application Data\printer.exe C:\Documents and Settings\Daddy\g2mdlhlpx.exe C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\findfast.exe C:\Program Files\FunWebProducts C:\Program Files\internet explorer\msimg32.dll C:\Program Files\MyWebSearch C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\cookies.ini C:\WINDOWS\medichi.exe C:\WINDOWS\medichi2.exe C:\WINDOWS\murka.dat C:\WINDOWS\shell.exe C:\WINDOWS\system32\A1 C:\WINDOWS\system32\B1 C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\configs C:\WINDOWS\system32\ctfmona.exe C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\printer.exe C:\WINDOWS\system32\spoolvs.exe C:\WINDOWS\system32\suspend.exe C:\WINDOWS\system32\users32.dat C:\WINDOWS\system32\win C:\WINDOWS\system32\wowfx.dll C:\WINDOWS\trayicon.exe C:\WINDOWS\windsk.dll C:\WINDOWS\wsystmp_fpf.exe C:\WINDOWS\wsystmp_vss.exe C:\WINDOWS\wsystmp_vxj.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService -------\nm ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))) . 2008-01-21 05:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-15 17:51 . 2008-01-15 17:51 <DIR> d-------- C:\Deckard 2008-01-15 17:38 . 2008-01-15 17:45 <DIR> d-------- C:\ie-spyad_zo 2008-01-15 17:31 . 2008-01-15 17:33 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-15 16:57 . 2008-01-15 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-15 16:49 . 2008-01-19 08:11 16,384 --a------ C:\WINDOWS\SYSTEM32\nod32se.exe 2008-01-15 16:25 . 2008-01-15 16:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-01-14 17:10 . 2008-01-14 17:10 <DIR> d-------- C:\Documents and Settings\Daddy\Application Data\InfeStop.com 2008-01-14 17:09 . 2008-01-14 17:10 <DIR> d-------- C:\Program Files\InfeStop 2008-01-14 14:00 . 2008-01-14 14:00 <DIR> d-------- C:\Program Files\Spy-Rid 2008-01-14 14:00 . 2008-01-14 14:00 <DIR> d-------- C:\Documents and Settings\Daddy\Application Data\spy-rid.com 2008-01-14 13:55 . 2008-01-14 13:55 <DIR> d-------- C:\Program Files\SystemDefender 2008-01-14 13:55 . 2005-05-15 01:05 98,709 --a------ C:\Documents and Settings\Daddy\Application Data\sysdefender.exe 2008-01-14 13:39 . 2008-01-19 08:11 80 --a------ C:\WINDOWS\SYSTEM32\suspend.bin 2008-01-14 13:21 . 2008-01-14 13:21 <DIR> d-------- C:\Program Files\EasySpywareCleaner 2008-01-14 13:21 . 2008-01-14 13:21 <DIR> d-------- C:\Documents and Settings\Daddy\Application Data\EasySpywareCleaner.com 2008-01-14 11:47 . 2008-01-20 11:33 16,384 --a------ C:\WINDOWS\SYSTEM32\userv32.dat 2008-01-14 11:22 . 2008-01-15 14:41 18,944 --a------ C:\WINDOWS\SYSTEM32\wowfx(2).dll 2008-01-14 11:04 . 2008-01-14 11:04 34,049 --a------ C:\Documents and Settings\Daddy\wn852.exe 2008-01-03 20:05 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll 2008-01-03 20:05 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll 2007-12-25 08:10 . 2008-01-14 11:46 <DIR> d-------- C:\Program Files\iTunes 2007-12-25 08:10 . 2007-12-25 08:10 <DIR> d-------- C:\Program Files\iPod 2007-12-25 08:00 . 2008-01-14 11:46 <DIR> d-------- C:\Program Files\QuickTime 2007-12-25 07:57 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbaapl.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-21 00:11 --------- d-----w C:\Program Files\Quicken 2008-01-18 09:44 --------- d-----w C:\Program Files\PurgeIE 2008-01-15 22:13 --------- d-----w C:\Program Files\Trend Micro 2008-01-15 21:40 --------- d-----w C:\Program Files\Yahoo! 2008-01-15 21:40 --------- d-----w C:\Program Files\Common Files\Scanner 2008-01-14 16:44 90,112 ----a-w C:\WINDOWS\updreg.exe 2007-12-30 20:01 --------- d-----w C:\Program Files\RealFlightG3 2007-12-25 12:58 --------- d-----w C:\Program Files\Apple Software Update 2007-12-16 16:23 --------- d-----w C:\Program Files\Common Files\KnifeEdge 2007-12-15 20:52 --------- d-----w C:\Program Files\Napster 2007-12-15 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster 2007-10-04 10:28 36,992 -c--a-w C:\Documents and Settings\Daddy\Application Data\GDIPFONTCACHEV1.DAT 2007-02-22 21:40 630,784 -c--a-w C:\Documents and Settings\Daddy\GoToAssist_chat2way__317_en.exe 2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js 2005-11-18 16:56 399,748 -csha-w C:\WINDOWS\SYSTEM32\ghhkj.bak1 2005-11-20 16:56 435,932 -csha-w C:\WINDOWS\SYSTEM32\ghhkj.bak2 . Files Infected - Win32.Agent.zb C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\QTTask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe C:\WINDOWS\UpdReg.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Auto EPSON Stylus C64 Series on DADSOLD"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe" [2008-01-14 11:44 99840] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2008-01-14 11:44 90112] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-14 11:44 49152] "CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2008-01-14 11:44 57344] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-14 11:44 339968] "EPSON Stylus C64 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe" [2008-01-14 11:44 99840] "EPSON PictureMate Deluxe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2008-01-14 11:44 98304] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-14 11:44 8720384] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-08-22 17:21 145920] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624] HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-12 23:53:19 67128] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-05-29 10:30:02 434176] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf] avgwlntf.dll 2007-08-22 17:21 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^Epson printer Registration.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Epson printer Registration.lnk backup=C:\WINDOWS\pss\Epson printer Registration.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^findfast.exe] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^Forget Me Not.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Forget Me Not.lnk backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^IMVU.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\IMVU.lnk backup=C:\WINDOWS\pss\IMVU.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2008-01-14 11:44 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-01-14 11:44 421888 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a--c--- 2004-09-15 02:01 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] -----c--- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2] --a--c--- 2006-07-14 15:36 107008 C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] --a--c--- 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-14 11:44 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer] --a--c--- 2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] --a------ 2004-06-10 12:51 60928 C:\WINDOWS\SYSTEM32\P17.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer] C:\WINDOWS\system32\printer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] --a--c--- 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-14 11:44 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a--c--- 2006-06-17 12:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\samycanu] C:\Program Files\Messenger\samycanu22011.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer] C:\WINDOWS\system32\ihxkhqww.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a--c--- 2006-06-17 12:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{79-94-4C-C9-ZN}] C:\windows\system32\lsdsrngr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "LexBceS"=2 (0x2) . Contents of the 'Scheduled Tasks' folder "2008-01-19 16:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-18 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (BUNNMAN-Daddy).job" - c:\program files\mcafee.com\vso\mcmnhdlr.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-21 06:05:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\Program Files\Logitech\SetPoint\GameHook.dll . Completion time: 2008-01-21 6:10:43 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-21 11:10:38 . 2007-12-19 08:01:28 --- E O F ---