Thread: trojan, vundo, pop-ups, no updates
View Single Post
Old 06-16-2008, 02:31 PM   #3 (permalink)
cerebrum
Registered User
 
Join Date: Jun 2008
Location: tx
Posts: 7
OS: XP


Re: trojan, vundo, pop-ups, no updates
Thank you for your reply and help.

ComboFix.txt

ComboFix 08-06-15.4 - RAC 2008-06-16 13:26:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -5:00]
Running from: C:\Documents and Settings\RAC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RAC\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\vidmon
C:\Documents and Settings\All Users\Application Data\vidmon\vidmon.inf
C:\lswmv.ini
C:\Program Files\Common Files\uninstall information
C:\Program Files\winupdates
C:\WINDOWS\BM33b25e46.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtqrqnK.dll
C:\WINDOWS\system32\axmhojmf.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cpwacecx.dll
C:\WINDOWS\system32\crwrpkvu.ini
C:\WINDOWS\system32\cxvhdnix.ini
C:\WINDOWS\SYSTEM32\DNUCcMoq.ini
C:\WINDOWS\SYSTEM32\DNUCcMoq.ini2
C:\WINDOWS\system32\doqsftoj.dll
C:\WINDOWS\system32\eorvoqwx.dll
C:\WINDOWS\system32\evmryhhl.dll
C:\WINDOWS\SYSTEM32\FPYyGMoq.ini
C:\WINDOWS\SYSTEM32\FPYyGMoq.ini2
C:\WINDOWS\system32\hbhhcknf.ini
C:\WINDOWS\system32\hgGyaYQh.dll
C:\WINDOWS\system32\hnnojfcf.dll
C:\WINDOWS\SYSTEM32\hQYayGgh.ini
C:\WINDOWS\SYSTEM32\hQYayGgh.ini2
C:\WINDOWS\system32\iifdDwtt.dll
C:\WINDOWS\system32\jnbgbgwq.dll
C:\WINDOWS\system32\kmlallfp.dll
C:\WINDOWS\system32\lnbhosvv.dll
C:\WINDOWS\system32\lqrnobye.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\ncjrujps.ini
C:\WINDOWS\system32\orpyhlnr.dll
C:\WINDOWS\system32\pigbnvdx.dll
C:\WINDOWS\system32\rnlhypro.ini
C:\WINDOWS\system32\rsfhnhak.dll
C:\WINDOWS\system32\spjurjcn.dll
C:\WINDOWS\system32\stgxeuoy.dll
C:\WINDOWS\system32\vidmon
C:\WINDOWS\system32\vqbncibq.dll
C:\WINDOWS\system32\wjjueatj.dll
C:\WINDOWS\SYSTEM32\xcecawpc.ini
C:\WINDOWS\SYSTEM32\xdvnbgip.ini
C:\WINDOWS\system32\xindhvxc.dll
C:\WINDOWS\system32\xwqovroe.ini
C:\WINDOWS\SYSTEM32\xxbayccf.ini
C:\WINDOWS\SYSTEM32\xxbayccf.ini2
C:\WINDOWS\system32\ywrqqsoq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-12 08:59 . 2008-06-12 19:56 415 --ahs---- C:\WINDOWS\SYSTEM32\aonyfnux.ini
2008-06-11 23:30 . 2008-06-11 23:30 <DIR> d-------- C:\cabs
2008-06-11 00:45 . 2008-06-11 00:45 <DIR> d-------- C:\Deckard
2008-06-11 00:38 . 2008-06-11 00:41 <DIR> d-------- C:\ZonedOut
2008-06-10 11:34 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.sys
2008-06-10 11:34 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.cat
2008-06-10 11:34 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.inf
2008-06-10 10:19 . 2008-06-10 10:19 1,579,228 --ahs---- C:\WINDOWS\SYSTEM32\hbhhcknf.tmp
2008-06-10 08:58 . 2008-06-12 20:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 08:56 . 2008-06-10 09:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-10 08:36 . 2008-06-10 08:36 <DIR> d-------- C:\ie-spyad_zo
2008-06-10 01:02 . 2008-06-10 10:31 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-06-10 01:02 . 2008-06-10 10:31 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-06-10 01:02 . 2008-06-10 10:31 10,671 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-06-10 01:02 . 2008-06-10 10:31 805 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-06-09 12:42 . 2008-06-09 12:42 <DIR> d-------- C:\Program Files\Panda Security
2008-06-08 23:45 . 2008-06-08 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 19:16 . 2008-06-07 19:16 58 --a------ C:\WINDOWS\swcmpc.ini
2008-06-07 19:16 . 2008-06-07 19:17 21 --a------ C:\WINDOWS\progman.ini
2008-06-07 19:06 . 2008-06-12 10:23 10 --a------ C:\WINDOWS\popcinfo.dat
2008-06-07 18:31 . 2008-06-07 18:31 <DIR> d-------- C:\Program Files\Justdo Software
2008-06-07 18:31 . 2008-06-08 13:30 <DIR> d-------- C:\Program Files\Common Files\Justdo
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 19:13 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9917.sys
2008-06-16 18:25 --------- d-----w C:\Documents and Settings\RAC\Application Data\uTorrent
2008-06-16 03:17 --------- d-----w C:\Program Files\FlashFXP
2008-06-15 17:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 13:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiSpyInfo
2008-06-11 05:57 --------- d---a-w C:\Documents and Settings\RAC\Application Data\yahoo!
2008-06-10 17:09 --------- d-----w C:\Program Files\XLink Kai Evolution VII
2008-06-10 16:34 --------- d-----w C:\Program Files\Symantec
2008-06-10 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-10 05:57 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-09 04:45 --------- d-----w C:\Program Files\Lavasoft
2008-06-09 04:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 23:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 18:47 --------- d-----w C:\Program Files\Maxthon2
2008-05-15 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-13 19:21 --------- d-----w C:\Program Files\DVDlabPro2
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-18 04:39 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-18 04:06 --------- d-----w C:\Program Files\Maxthon
2008-04-16 02:36 --------- d-----w C:\Documents and Settings\RAC\Application Data\Intuit
2008-04-16 02:22 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-16 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-16 02:21 --------- d-----w C:\Program Files\TurboTax
2006-03-25 16:14 24,192 -c--a-w C:\Documents and Settings\RAC\usbsermptxp.sys
2006-03-25 16:14 22,768 -c--a-w C:\Documents and Settings\RAC\usbsermpt.sys
1999-04-30 22:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2005-03-29 08:40 56 -csha-r C:\WINDOWS\SYSTEM32\2C4FDA4CB3.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF0C7BE5-5A0C-4A66-94ED-C8E9CEC86E36}]
C:\WINDOWS\system32\qoMGyYPF.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-02-05 09:30 219952]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-22 18:34 155648]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"AGRSMMSG"="AGRSMMSG.exe" [2004-04-13 14:49 88363 C:\WINDOWS\AGRSMMSG.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 02:11 771704]

C:\Documents and Settings\RAC\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-29 16:48:51 98304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2006-08-10 17:28:47 127488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{CC3E6789-0120-1A20-04B0-087AFF6D2EA4}"= blank [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"vidc.mjpg"= mcmjpg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RAC^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
E:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 08:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
--a--c--- 2005-04-19 19:17 352256 C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 01:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 01:19 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2003-12-10 05:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-22 18:34 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysmonnt]
C:\WINDOWS\System32\sysmonnt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a--c--- 2005-03-28 20:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsFZ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 17:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"Themes"=2 (0x2)
"Spooler"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Xbox-Hq PC Essentials\\MooGUI\\MooGUI.exe"=
"C:\\Program Files\\Xbox-Hq PC Essentials\\Qwix 1.01\\Qwix.exe"=
"C:\\Program Files\\Xbox-Hq PC Essentials\\Xbox Saves Manager\\XSaveMgr.exe"=
"C:\\Program Files\\XLink Kai Evolution 7\\kaiLaunch.exe"=
"C:\\Program Files\\XLink Kai Evolution VII\\kaiLaunch.exe"=
"C:\\Program Files\\XLink Kai Evolution VII\\kaiEngine.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Maxthon\\Maxthon.exe"=
"C:\\Program Files\\Xbox-Hq PC Essentials\\C-Xbox Tool 2\\cxboxtool.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:abc2
"22485:TCP"= 22485:TCP:abc3

S2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\ColdFusionSearchService\k2\_nti40\bin\k2admin.exe" -cfg "C:\ColdFusionSearchService\k2\common\verity.cfg" -ntstart 1 []
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 06:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-17 13:48]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINDOWS\system32\Drivers\xbreader.sys [2001-01-02 23:53]
S4 Appsdsk;Appsdsk;C:\WINDOWS\System32\drivers\agpv04nt.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2004-12-17 20:40:13 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-06-10 14:37:13 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - RAC.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 14:19:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-16 14:46:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 19:45:21

Pre-Run: 14,980,149,248 bytes free
Post-Run: 15,508,217,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

305 --- E O F --- 2008-05-28 08:02:56





hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:25 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\RAC\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RAC.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...age/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {DF0C7BE5-5A0C-4A66-94ED-C8E9CEC86E36} - C:\WINDOWS\system32\qoMGyYPF.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {69518E7C-D986-4E77-A49C-49A204746D22} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {69518E7C-D986-4E77-A49C-49A204746D22} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AD2439F5-1E46-42CD-9CB7-CC5D74032497} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AD2439F5-1E46-42CD-9CB7-CC5D74032497} - (no file) (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot8_x.cab
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/...m::/update.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/...areControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13c3dce5...p/RdxIE601.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130582841078
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://www.andersonfloors.com:8000/i...image40930.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_6us.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.10/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5D81DDE-E2A9-40AB-B7B9-FBA8A1FB4FCD}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{04476BFC-2143-428B-91EB-327F1F3C2404}: NameServer = 69.50.184.84,195.225.176.37
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O22 - SharedTaskScheduler: Network Load Monitor - {CC3E6789-0120-1A20-04B0-087AFF6D2EA4} - blank (file missing)
O22 - SharedTaskScheduler: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\ColdFusionSearchService\k2\_nti40\bin\k2admin.exe (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 13340 bytes
Attached Files
File Type: txt extra.txt (22.9 KB, 2 views)
cerebrum is offline