Tech Support Forum - View Single Post

easyas · 08-26-2008, 07:31 PM

Thankyou so much 1972vet!! I was starting to wonder if I'd fallen between the cracks (so to speak). I'm systematically going through the list 1 step at a time. Here it is as it happens;

- no limewire or dss in add/remove programs. Did a search and removed any remnants found. Limewire is deleted and loaded in a bit of a tug-o'war in the office.
-Only had dss.exe on the desktop.Deleted it.
-I was wondering about partypoker as a source of bad code, so it's gone too. These can be played online- is this still a threat in your opinion?

-HJT installed successfully
- teatimer function in spybot already unchecked.

-combofix and recovery console installed without problem.

Reports as follows;

ComboFix 08-08-26.02 - susan 2008-08-26 20:38:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.492 [GMT -4:00]
Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-26 20:09 . 2008-08-26 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 13:41 . 2008-08-26 13:41 250 --a------ C:\WINDOWS\gmer.ini
2008-08-22 20:10 . 2008-08-22 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-08-22 20:10 . 2008-08-22 20:10 5,752 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-08-22 20:09 . 2008-08-22 20:09 <DIR> d-------- C:\Documents and Settings\susan\Application Data\GTek
2008-08-15 11:02 . 2008-08-15 15:19 <DIR> d-------- C:\Documents and Settings\Office\Application Data\Skype
2008-08-13 02:31 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 02:31 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-07 08:01 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Program Files\PaulB
2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Documents and Settings\susan\Application Data\Get Mail
2008-07-30 13:59 . 2006-11-30 17:09 57,344 --a------ C:\WINDOWS\system32\ssdevm.dll
2008-07-30 13:59 . 2006-08-15 18:42 49,152 --a------ C:\WINDOWS\system32\ssusbpn.dll
2008-07-30 13:59 . 2004-08-11 15:39 41,984 -ra------ C:\WINDOWS\system32\drivers\DgivEcp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 00:19 --------- d-----w C:\Documents and Settings\susan\Application Data\Skype
2008-08-27 00:05 --------- d-----w C:\Documents and Settings\susan\Application Data\skypePM
2008-08-26 23:49 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-08-26 23:41 --------- d-----w C:\Program Files\PartyGaming
2008-08-26 23:39 --------- d-----w C:\Program Files\Java
2008-08-26 04:40 --------- d-----w C:\Program Files\Blue Coat K9
2008-08-23 03:44 --------- d-----w C:\Program Files\Skype
2008-08-22 15:09 --------- d-----w C:\Documents and Settings\Office\Application Data\U3
2008-08-14 03:11 --------- d-----w C:\Documents and Settings\susan\Application Data\U3
2008-08-07 12:00 --------- d-----w C:\Program Files\Panda Security
2008-08-07 11:34 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-31 15:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 12:07 --------- d-----w C:\Program Files\DAEMON Tools
2008-07-10 20:15 --------- d-----w C:\Program Files\Google
2008-07-10 19:32 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-07 12:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-01 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-06-29 02:43 --------- d-----w C:\Program Files\QuickTime
2008-06-28 18:07 --------- d-----w C:\Program Files\MYOB
2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 15:09 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 17:46 21741864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-07-28 09:29 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2005-07-27 17:07 765952]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2005-06-16 15:48 86016]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-11 09:03 708697]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2005-09-13 21:55 1668096]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 21:05 344064]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
ASUS ChkMail.lnk.disabled [2006-04-21 15:34:54 1578]
HDBackup.lnk.disabled [2008-05-08 12:32:10 850]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"updateMgr"=c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys [2007-05-14 19:04]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-05-22 22:30]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2005-06-08 15:55]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;E:\PNDIS5.SYS []
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\YH-820.sys [2004-09-09 20:42]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14769-3ecd-11dd-acb9-0015f2d86387}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3f0f166-625c-11dd-ad32-0015f2d86387}]
\Shell\AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\susan\Application Data\Mozilla\Firefox\Profiles\deiisudm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 20:40:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-26 20:41:50
ComboFix-quarantined-files.txt 2008-08-27 00:41:44

Pre-Run: 33,128,889,344 bytes free
Post-Run: 33,285,111,808 bytes free

146 --- E O F --- 2008-08-13 07:04:48

----------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:41 PM, on 8/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9\k9filter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk.disabled
O4 - Global Startup: HDBackup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe

--
End of file - 5992 bytes

Good luck and thanks again!!

08-26-2008, 07:31 PM	#6 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Thankyou so much 1972vet!! I was starting to wonder if I'd fallen between the cracks (so to speak). I'm systematically going through the list 1 step at a time. Here it is as it happens; - no limewire or dss in add/remove programs. Did a search and removed any remnants found. Limewire is deleted and loaded in a bit of a tug-o'war in the office. -Only had dss.exe on the desktop.Deleted it. -I was wondering about partypoker as a source of bad code, so it's gone too. These can be played online- is this still a threat in your opinion? -HJT installed successfully - teatimer function in spybot already unchecked. -combofix and recovery console installed without problem. Reports as follows; ComboFix 08-08-26.02 - susan 2008-08-26 20:38:40.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.492 [GMT -4:00] Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 ))))))))))))))))))))))))))))))) . 2008-08-26 20:09 . 2008-08-26 20:09 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-26 13:41 . 2008-08-26 13:41 250 --a------ C:\WINDOWS\gmer.ini 2008-08-22 20:10 . 2008-08-22 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek 2008-08-22 20:10 . 2008-08-22 20:10 5,752 --a------ C:\WINDOWS\system32\OEMINFO.PNF 2008-08-22 20:09 . 2008-08-22 20:09 <DIR> d-------- C:\Documents and Settings\susan\Application Data\GTek 2008-08-15 11:02 . 2008-08-15 15:19 <DIR> d-------- C:\Documents and Settings\Office\Application Data\Skype 2008-08-13 02:31 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-13 02:31 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-07 08:01 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Program Files\PaulB 2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Documents and Settings\susan\Application Data\Get Mail 2008-07-30 13:59 . 2006-11-30 17:09 57,344 --a------ C:\WINDOWS\system32\ssdevm.dll 2008-07-30 13:59 . 2006-08-15 18:42 49,152 --a------ C:\WINDOWS\system32\ssusbpn.dll 2008-07-30 13:59 . 2004-08-11 15:39 41,984 -ra------ C:\WINDOWS\system32\drivers\DgivEcp.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 00:19 --------- d-----w C:\Documents and Settings\susan\Application Data\Skype 2008-08-27 00:05 --------- d-----w C:\Documents and Settings\susan\Application Data\skypePM 2008-08-26 23:49 --------- d-----w C:\Program Files\Common Files\muvee Technologies 2008-08-26 23:41 --------- d-----w C:\Program Files\PartyGaming 2008-08-26 23:39 --------- d-----w C:\Program Files\Java 2008-08-26 04:40 --------- d-----w C:\Program Files\Blue Coat K9 2008-08-23 03:44 --------- d-----w C:\Program Files\Skype 2008-08-22 15:09 --------- d-----w C:\Documents and Settings\Office\Application Data\U3 2008-08-14 03:11 --------- d-----w C:\Documents and Settings\susan\Application Data\U3 2008-08-07 12:00 --------- d-----w C:\Program Files\Panda Security 2008-08-07 11:34 --------- d-----w C:\Program Files\SpywareBlaster 2008-07-31 15:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-30 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-11 12:07 --------- d-----w C:\Program Files\DAEMON Tools 2008-07-10 20:15 --------- d-----w C:\Program Files\Google 2008-07-10 19:32 --------- d-----w C:\Program Files\Common Files\Logitech 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-07-07 12:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-07-01 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir 2008-06-29 02:43 --------- d-----w C:\Program Files\QuickTime 2008-06-28 18:07 --------- d-----w C:\Program Files\MYOB 2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-23 15:09 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 17:46 21741864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-07-28 09:29 102400] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544] "NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2005-07-27 17:07 765952] "Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2005-06-16 15:48 86016] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-11 09:03 708697] "Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2005-09-13 21:55 1668096] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 21:05 344064] "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] ASUS ChkMail.lnk.disabled [2006-04-21 15:34:54 1578] HDBackup.lnk.disabled [2008-05-08 12:32:10 850] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background "OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "updateMgr"=c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime "RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" "ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys [2007-05-14 19:04] R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52] R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54] R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-05-22 22:30] S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys [] S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00] S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2005-06-08 15:55] S3 PNDIS5;PNDIS5 NDIS Protocol Driver;E:\PNDIS5.SYS [] S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\YH-820.sys [2004-09-09 20:42] S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14769-3ecd-11dd-acb9-0015f2d86387}] \Shell\Auto\command - G:\Start.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3f0f166-625c-11dd-ad32-0015f2d86387}] \Shell\AutoRun\command - G:\setupSNK.exe Newly Created Service - CATCHME Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-08-27 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\susan\Application Data\Mozilla\Firefox\Profiles\deiisudm.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 20:40:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-26 20:41:50 ComboFix-quarantined-files.txt 2008-08-27 00:41:44 Pre-Run: 33,128,889,344 bytes free Post-Run: 33,285,111,808 bytes free 146 --- E O F --- 2008-08-13 07:04:48 ---------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:41 PM, on 8/26/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Blue Coat K9\k9filter.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\ASUS\NB Probe\NBProbe.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: ASUS ChkMail.lnk.disabled O4 - Global Startup: HDBackup.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe -- End of file - 5992 bytes Good luck and thanks again!!