Computer infected, please help! - Page 3

carynm · 01-04-2008, 04:53 PM

Hi Katana,

I'm home now! We had a great time!

Here is the new log from the latest combofix. I hope it looks good!

Caryn

ComboFix 07-12-31.4 - Owner 2008-01-04 19:26:00.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.163 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\wbem\fcorouvnb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wbem\fcorouvnb.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 19:21 . 2008-01-04 19:21 72 --a------ C:\WINDOWS\system32\cflInfo.nt
2008-01-01 16:25 . 2008-01-01 16:25 <DIR> d-------- C:\Program Files\Panda Security
2008-01-01 10:32 . 2008-01-01 14:35 47 --a------ C:\WINDOWS\system32\wcbnurect.fl
2008-01-01 02:24 . 2008-01-01 02:24 12 --a------ C:\WINDOWS\0494ac5aa2.dll
2008-01-01 02:24 . 2008-01-01 02:24 0 --a------ C:\WINDOWS\system32\dnabeser.dat
2008-01-01 02:19 . 2008-01-04 19:42 420 --a------ C:\WINDOWS\system32\e8ae8279a2.dll
2007-12-31 23:14 . 2007-12-31 23:27 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-31 23:14 . 2007-12-31 23:27 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-31 23:13 . 2007-12-31 23:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-31 23:12 . 2008-01-04 19:45 3,911,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 23:12 . 2008-01-02 06:59 52,532 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 23:12 . 2008-01-04 19:44 29,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-31 23:12 . 2008-01-02 06:59 3,524 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\KAV
2007-12-31 22:44 . 2007-12-31 22:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-31 22:44 . 2007-12-31 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-31 22:43 . 2007-12-31 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-31 18:50 . 2007-12-31 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-31 18:50 . 2008-01-04 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-31 18:21 . 2007-12-31 18:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-31 12:40 . 2007-12-31 12:40 130 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-31 10:34 . 2007-12-31 10:34 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData
2007-12-29 10:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\Windows Live
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-28 10:59 . 2005-12-28 13:22 <DIR> d-------- C:\Program Files\Incesoft
2007-12-28 10:59 . 2007-12-28 10:59 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-12-14 21:23 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 04:07 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire
2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com
2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 13:50 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-24 14:29 32,524 ----a-w C:\WINDOWS\Fonts\diploma.zip
2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe
2005-12-07 18:47 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2005-12-28_13.28.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-31 23:22:00 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-31 23:22:00 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-31 23:21:46 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-12-31 23:21:46 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2005-08-26 18:10:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-05 00:14:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2008-01-01 04:28:41 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
+ 2008-01-01 07:24:41 518,144 ----a-w C:\WINDOWS\system32\wbem\9142\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29 722432]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01 143360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 13:01 496640 C:\WINDOWS\zHotkey.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18 135168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57 155648]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54 99480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29]
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 19:45:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 19:47:29
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-05 00:47:11
C:\qoobox\ComboFix2.txt 2008-01-01 07:26:00
C:\qoobox\ComboFix3.txt 2008-01-01 02:55:07
C:\qoobox\ComboFix4.txt 2007-12-31 15:24:22
.
2007-12-28 05:59:31 --- E O F ---

Katana · 01-05-2008, 02:51 AM

I'm glad you had a good time

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/206993-computer-infected-please-help-2.html
Comment:: Katana
Collect::[27]
C:\WINDOWS\system32\wbem\9142\svchost.exe

Suspect::[27]
C:\WINDOWS\Fonts\diploma.zip
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\wcbnurect.fl

File::
C:\WINDOWS\Fonts\diploma.zip
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\wcbnurect.fl

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

RE . The compressed file that you have got for me, please do the following.

Go to spykiller

Please start a new thread and give the following information

Name:-- Your name
E-mail:-- Your E-mail (this is confidential and will not be displayed)
Subject:-- Qoobox for Katana

In the main text window please put the following link
Computer infected, please help!
you may also add any comments you wish
then press attach and upload the zip/cab file that you created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files

Please can you post a fresh HJT along with the ComboFix log.

carynm · 01-05-2008, 09:25 AM

Hi Katana,

Here's the new combofix log and the HTLog. I will go to the other forum and upload that file for you right now!

ComboFix 07-12-31.4 - Owner 2008-01-05 12:04:47.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Fonts\diploma.zip
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\wcbnurect.fl
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\diploma.zip
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\wbem\9142\svchost.exe
C:\WINDOWS\system32\wcbnurect.fl

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-01 16:25 . 2008-01-01 16:25 <DIR> d-------- C:\Program Files\Panda Security
2008-01-01 02:24 . 2008-01-01 02:24 12 --a------ C:\WINDOWS\0494ac5aa2.dll
2008-01-01 02:24 . 2008-01-05 09:17 0 --a------ C:\WINDOWS\system32\dnabeser.dat
2008-01-01 02:19 . 2008-01-05 12:14 416 --a------ C:\WINDOWS\system32\e8ae8279a2.dll
2007-12-31 23:14 . 2007-12-31 23:27 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-31 23:14 . 2007-12-31 23:27 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-31 23:13 . 2007-12-31 23:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-31 23:12 . 2008-01-05 12:17 4,376,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 23:12 . 2008-01-05 00:33 57,572 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 23:12 . 2008-01-05 12:16 42,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-31 23:12 . 2008-01-05 00:33 4,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\KAV
2007-12-31 22:44 . 2007-12-31 22:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-31 22:44 . 2007-12-31 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-31 22:43 . 2007-12-31 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-31 18:50 . 2007-12-31 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-31 18:50 . 2008-01-05 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-31 18:21 . 2007-12-31 18:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-31 12:40 . 2007-12-31 12:40 130 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-31 10:34 . 2007-12-31 10:34 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData
2007-12-29 10:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\Windows Live
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-28 10:59 . 2005-12-28 13:22 <DIR> d-------- C:\Program Files\Incesoft
2007-12-28 10:59 . 2007-12-28 10:59 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-12-14 21:23 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 04:07 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire
2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com
2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 13:50 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe
2005-12-07 18:47 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2005-12-28_13.28.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-31 23:22:00 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-31 23:22:00 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-31 23:21:46 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-12-31 23:21:46 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2005-08-26 18:10:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-05 00:14:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2008-01-01 04:28:41 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
+ 2008-01-05 14:17:20 519,168 ----a-w C:\WINDOWS\system32\wbem\5995\svchost.exe
+ 2008-01-05 14:17:29 232,960 ----a-w C:\WINDOWS\system32\wbem\uwdxggvnb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29 722432]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01 143360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 13:01 496640 C:\WINDOWS\zHotkey.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18 135168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57 155648]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54 99480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29]
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 12:17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 12:19:27
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-05 17:19:15
C:\qoobox\ComboFix2.txt 2008-01-05 00:47:31
C:\qoobox\ComboFix3.txt 2008-01-01 07:26:00
C:\qoobox\ComboFix4.txt 2008-01-01 02:55:07
C:\qoobox\ComboFix5.txt 2007-12-31 15:24:22
.
2007-12-28 05:59:31 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:52 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_SE2C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193059601484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193059577453
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9860 bytes

carynm · 01-05-2008, 09:43 AM

Hi Katana,

I uploaded that file for you at spykiller. I guess my computer is still infected. Now, instead of getting pop-ups, my window deselects and my mouse pointer disappears for a couple of seconds, then comes back. It does this quite often, then my window redirects to a chinese website. it did that to me last night too. Just thought I would let you know. Thanks!
Caryn

Katana · 01-05-2008, 02:36 PM

Something is hiding, and it is doing a very good job of it

ROOTKIT REVEALER

Please download Rootkit Revealer
Click >>> HERE <<<

Extract it to your desktop.

Double click the rootkitrevealer folder, and double-click rootkitrevealer.exe

Click the Scan button

Don't do anything while it's running

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them in your next reply.

carynm · 01-05-2008, 06:43 PM

Hi Katana,

Here is the log you requested. I sure hope we can figure this out! Do you think I should wait to login at any website, other than this one? I changed all my passwords and don't want to have to do it again.

Thank you again for all the time you are spending on trying to fix my computer! I want you to know that we really appreciate it!

Caryn

HKU\.DEFAULT\Control Panel\International 1/5/2008 12:19 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 1/5/2008 12:19 PM 0 bytes Security mismatch.
HKU\S-1-5-21-1617645011-1538282379-3063462290-1003\Control Panel\International 1/5/2008 12:19 PM 0 bytes Security mismatch.
HKU\S-1-5-21-1617645011-1538282379-3063462290-1003\Control Panel\International\Geo 1/5/2008 12:19 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 1/5/2008 12:19 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 1/5/2008 12:19 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 5/12/2004 5:03 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 5/12/2004 5:03 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 12/1/2005 1:09 AM 13 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\274.4F932EC001C8500A.history\00000000.bak 1/5/2008 9:21 PM 7.50 MB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\9ac.31856A4201C8500A.history 1/5/2008 9:16 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\e2c.2D168AEA01C8500A.history 1/5/2008 9:17 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\e2c.2D168AEA01C8500A.history\00000000.bak 1/5/2008 9:17 PM 570.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Cookies\owner@www.yahoo[1].txt 1/5/2008 9:21 PM 213 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Cookies\owner@www.yahoo[2].txt 1/5/2008 9:22 PM 212 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@yahoo[2].txt 1/5/2008 9:20 PM 164 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF144B.tmp 1/5/2008 9:20 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4531.tmp 1/5/2008 9:22 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3OADF5HD\sit88_com[1].htm 1/5/2008 9:22 PM 91.87 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AJQP8SUO\img1_1024[1].jpg 1/5/2008 9:21 PM 5.04 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AVQ738OH\spearsamb-sm[1].jpg 1/5/2008 9:21 PM 1.66 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AVQ738OH\yahoo_com[1].htm 1/5/2008 9:02 PM 113.33 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K376JLCH\yahoo_com[1].htm 1/5/2008 9:22 PM 114.67 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MMH7YIRP\sit88_com[1].htm 1/5/2008 7:30 PM 91.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\cch~247ee15f0d.htp 1/5/2008 9:21 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\cch~247ee16aa2.htp 1/5/2008 9:21 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.

Katana · 01-06-2008, 05:05 AM

Don't worry, one way or another we WILL get this sorted.

We will clean all the temp files, and then run the latest version of ComboFix.

CCleaner
Please download CCleaner from here to clean temp files from your computer.

Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Under Install Options, choose all the default settings
Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items. Click on Issues and make sure Registry Integrity is UNchecked!
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
After CCleaner has completed its process, click Exit.

Download and Run ComboFix

Download Combofix from one of the links below :

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

If possible, do not shut down or reboot your machine between fixes, as some malware can change names at reboot.
( if a tool we run reboots, that is fine )

carynm · 01-06-2008, 08:34 AM

Hi Katana,

I cleaned the temp files and have posted the new combofix log and HJThis log. Hope things are better! The computer seems to be running faster. I hope that's a good sign!

Caryn

ComboFix 08-01-06.5 - Owner 2008-01-06 11:21:36.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.215 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 10:27 . 2008-01-06 10:27 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 08:30 . 2008-01-06 08:30 72 --a------ C:\WINDOWS\system32\cflInfo.nt
2008-01-05 12:49 . 2008-01-06 10:52 199 --a------ C:\WINDOWS\system32\wcbnurect.fl
2008-01-01 16:25 . 2008-01-01 16:25 <DIR> d-------- C:\Program Files\Panda Security
2008-01-01 02:24 . 2008-01-01 02:24 12 --a------ C:\WINDOWS\0494ac5aa2.dll
2008-01-01 02:24 . 2008-01-05 09:17 0 --a------ C:\WINDOWS\system32\dnabeser.dat
2008-01-01 02:19 . 2008-01-06 11:24 264 --a------ C:\WINDOWS\system32\e8ae8279a2.dll
2007-12-31 23:14 . 2007-12-31 23:27 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-31 23:14 . 2007-12-31 23:27 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-31 23:13 . 2007-12-31 23:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-31 23:12 . 2008-01-06 11:24 5,173,536 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 23:12 . 2008-01-06 00:14 66,188 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 23:12 . 2008-01-06 11:25 63,008 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-31 23:12 . 2008-01-06 00:14 6,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\KAV
2007-12-31 22:44 . 2007-12-31 22:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-31 22:44 . 2007-12-31 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-31 22:43 . 2007-12-31 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-31 18:50 . 2007-12-31 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-31 18:50 . 2008-01-06 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-31 18:21 . 2007-12-31 18:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-31 12:40 . 2007-12-31 12:40 130 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-31 10:34 . 2007-12-31 10:34 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData
2007-12-29 10:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\Windows Live
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-28 10:59 . 2005-12-28 13:22 <DIR> d-------- C:\Program Files\Incesoft
2007-12-28 10:59 . 2007-12-28 10:59 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-12-14 21:23 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 04:07 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire
2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com
2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 13:50 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe
2005-12-07 18:47 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2005-12-28_13.28.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-31 23:22:00 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-31 23:22:00 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-31 23:21:46 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-12-31 23:21:46 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2005-08-26 18:10:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-05 00:14:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2008-01-01 04:28:41 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
+ 2008-01-05 14:17:20 519,168 ----a-w C:\WINDOWS\system32\wbem\5995\svchost.exe
+ 2008-01-05 14:17:29 232,960 ----a-w C:\WINDOWS\system32\wbem\uwdxggvnb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29 722432]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01 143360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 13:01 496640 C:\WINDOWS\zHotkey.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18 135168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57 155648]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54 99480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29]
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 11:25:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-01-06 11:26:37
ComboFix-quarantined-files.txt 2008-01-06 16:26:21
ComboFix2.txt 2008-01-05 17:19:28
ComboFix3.txt 2008-01-05 00:47:31
ComboFix4.txt 2008-01-01 07:26:00
ComboFix5.txt 2008-01-01 02:55:07
.
2007-12-28 05:59:31 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:16 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files

01-04-2008, 04:53 PM	#41 (permalink)
carynm Registered User Join Date: Dec 2007 Posts: 88 OS: Windows XP	Re: Computer infected, please help! Hi Katana, I'm home now! We had a great time! Here is the new log from the latest combofix. I hope it looks good! Caryn ComboFix 07-12-31.4 - Owner 2008-01-04 19:26:00.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.163 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\wbem\fcorouvnb.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\wbem\fcorouvnb.dll . ((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 ))))))))))))))))))))))))))))))) . 2008-01-04 19:21 . 2008-01-04 19:21 72 --a------ C:\WINDOWS\system32\cflInfo.nt 2008-01-01 16:25 . 2008-01-01 16:25 <DIR> d-------- C:\Program Files\Panda Security 2008-01-01 10:32 . 2008-01-01 14:35 47 --a------ C:\WINDOWS\system32\wcbnurect.fl 2008-01-01 02:24 . 2008-01-01 02:24 12 --a------ C:\WINDOWS\0494ac5aa2.dll 2008-01-01 02:24 . 2008-01-01 02:24 0 --a------ C:\WINDOWS\system32\dnabeser.dat 2008-01-01 02:19 . 2008-01-04 19:42 420 --a------ C:\WINDOWS\system32\e8ae8279a2.dll 2007-12-31 23:14 . 2007-12-31 23:27 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-12-31 23:14 . 2007-12-31 23:27 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-12-31 23:13 . 2007-12-31 23:13 <DIR> d-------- C:\Program Files\Kaspersky Lab 2007-12-31 23:12 . 2008-01-04 19:45 3,911,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-31 23:12 . 2008-01-02 06:59 52,532 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-31 23:12 . 2008-01-04 19:44 29,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-31 23:12 . 2008-01-02 06:59 3,524 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\KAV 2007-12-31 22:44 . 2007-12-31 22:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7 2007-12-31 22:44 . 2007-12-31 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-12-31 22:43 . 2007-12-31 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-12-31 18:50 . 2007-12-31 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-31 18:50 . 2008-01-04 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-31 18:21 . 2007-12-31 18:21 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-31 12:40 . 2007-12-31 12:40 130 --a------ C:\WINDOWS\system32\tablet.dat 2007-12-31 10:34 . 2007-12-31 10:34 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData 2007-12-29 10:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\Windows Live 2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\MSN Messenger 2007-12-28 10:59 . 2005-12-28 13:22 <DIR> d-------- C:\Program Files\Incesoft 2007-12-28 10:59 . 2007-12-28 10:59 20,541 --a------ C:\WINDOWS\system32\detoured.dll 2007-12-14 21:23 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-01 04:07 --------- d-----w C:\Program Files\Trend Micro 2008-01-01 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire 2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com 2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP 2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-11 13:50 --------- d-----w C:\Program Files\Java 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-09-24 14:29 32,524 ----a-w C:\WINDOWS\Fonts\diploma.zip 2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe 2005-12-07 18:47 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe . ((((((((((((((((((((((((((((( snapshot@2005-12-28_13.28.30.37 ))))))))))))))))))))))))))))))))))))))))) . + 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll + 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll + 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2007-12-31 23:22:00 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2007-12-31 23:22:00 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-12-31 23:21:46 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2007-12-31 23:21:46 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat - 2005-08-26 18:10:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-01-05 00:14:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys + 2008-01-01 04:28:41 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys + 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys + 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll + 2008-01-01 07:24:41 518,144 ----a-w C:\WINDOWS\system32\wbem\9142\svchost.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29 722432] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304] "EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01 143360] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CHotkey"="zHotkey.exe" [2003-06-03 13:01 496640 C:\WINDOWS\zHotkey.exe] "SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18 135168] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648] "EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [ ] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29 180269] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58 278528] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57 155648] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54 99480] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05] America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35] TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58] S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29] S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37] . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-04 19:45:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-04 19:47:29 C:\qoobox\ComboFix-quarantined-files.txt 2008-01-05 00:47:11 C:\qoobox\ComboFix2.txt 2008-01-01 07:26:00 C:\qoobox\ComboFix3.txt 2008-01-01 02:55:07 C:\qoobox\ComboFix4.txt 2007-12-31 15:24:22 . 2007-12-28 05:59:31 --- E O F ---

01-05-2008, 02:51 AM	#42 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 722 OS: W2K SP4 + XP SP2 + Vista	Re: Computer infected, please help! I'm glad you had a good time Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/206993-computer-infected-please-help-2.html Comment:: Katana Collect::[27] C:\WINDOWS\system32\wbem\9142\svchost.exe Suspect::[27] C:\WINDOWS\Fonts\diploma.zip C:\WINDOWS\system32\cflInfo.nt C:\WINDOWS\system32\wcbnurect.fl File:: C:\WINDOWS\Fonts\diploma.zip C:\WINDOWS\system32\cflInfo.nt C:\WINDOWS\system32\wcbnurect.fl Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis. Click OK and follow the instructions to submit the file. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. RE . The compressed file that you have got for me, please do the following. Go to spykiller Please start a new thread and give the following information Name:-- Your name E-mail:-- Your E-mail (this is confidential and will not be displayed) Subject:-- Qoobox for Katana In the main text window please put the following link Computer infected, please help! you may also add any comments you wish then press attach and upload the zip/cab file that you created. Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions. You DO NOT need to be a member to upload, anybody can upload the files Please can you post a fresh HJT along with the ComboFix log. __________________

01-05-2008, 09:25 AM	#43 (permalink)
carynm Registered User Join Date: Dec 2007 Posts: 88 OS: Windows XP	Re: Computer infected, please help! Hi Katana, Here's the new combofix log and the HTLog. I will go to the other forum and upload that file for you right now! ComboFix 07-12-31.4 - Owner 2008-01-05 12:04:47.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\Fonts\diploma.zip C:\WINDOWS\system32\cflInfo.nt C:\WINDOWS\system32\wcbnurect.fl . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\Fonts\diploma.zip C:\WINDOWS\system32\cflInfo.nt C:\WINDOWS\system32\wbem\9142\svchost.exe C:\WINDOWS\system32\wcbnurect.fl . ((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 ))))))))))))))))))))))))))))))) . 2008-01-01 16:25 . 2008-01-01 16:25 <DIR> d-------- C:\Program Files\Panda Security 2008-01-01 02:24 . 2008-01-01 02:24 12 --a------ C:\WINDOWS\0494ac5aa2.dll 2008-01-01 02:24 . 2008-01-05 09:17 0 --a------ C:\WINDOWS\system32\dnabeser.dat 2008-01-01 02:19 . 2008-01-05 12:14 416 --a------ C:\WINDOWS\system32\e8ae8279a2.dll 2007-12-31 23:14 . 2007-12-31 23:27 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-12-31 23:14 . 2007-12-31 23:27 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-12-31 23:13 . 2007-12-31 23:13 <DIR> d-------- C:\Program Files\Kaspersky Lab 2007-12-31 23:12 . 2008-01-05 12:17 4,376,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-31 23:12 . 2008-01-05 00:33 57,572 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-31 23:12 . 2008-01-05 12:16 42,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-31 23:12 . 2008-01-05 00:33 4,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\KAV 2007-12-31 22:44 . 2007-12-31 22:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7 2007-12-31 22:44 . 2007-12-31 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-12-31 22:43 . 2007-12-31 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-12-31 18:50 . 2007-12-31 18:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-31 18:50 . 2008-01-05 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-31 18:21 . 2007-12-31 18:21 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-31 12:40 . 2007-12-31 12:40 130 --a------ C:\WINDOWS\system32\tablet.dat 2007-12-31 10:34 . 2007-12-31 10:34 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData 2007-12-29 10:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\Windows Live 2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\MSN Messenger 2007-12-28 10:59 . 2005-12-28 13:22 <DIR> d-------- C:\Program Files\Incesoft 2007-12-28 10:59 . 2007-12-28 10:59 20,541 --a------ C:\WINDOWS\system32\detoured.dll 2007-12-14 21:23 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-01 04:07 --------- d-----w C:\Program Files\Trend Micro 2008-01-01 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire 2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com 2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP 2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-11 13:50 --------- d-----w C:\Program Files\Java 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe 2005-12-07 18:47 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe . ((((((((((((((((((((((((((((( snapshot@2005-12-28_13.28.30.37 ))))))))))))))))))))))))))))))))))))))))) . + 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll + 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll + 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2007-12-31 23:22:00 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2007-12-31 23:22:00 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-12-31 21:18:02 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-12-31 23:21:46 5,484,544 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2007-12-31 23:21:46 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat - 2005-08-26 18:10:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-01-05 00:14:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-08-26 18:10:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-01-05 00:14:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys + 2008-01-01 04:28:41 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys + 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys + 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll + 2008-01-05 14:17:20 519,168 ----a-w C:\WINDOWS\system32\wbem\5995\svchost.exe + 2008-01-05 14:17:29 232,960 ----a-w C:\WINDOWS\system32\wbem\uwdxggvnb.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29 722432] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304] "EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01 143360] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CHotkey"="zHotkey.exe" [2003-06-03 13:01 496640 C:\WINDOWS\zHotkey.exe] "SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18 135168] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648] "EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [ ] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29 180269] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58 278528] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57 155648] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54 99480] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05] America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35] TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58] S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29] S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37] . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-05 12:17:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-05 12:19:27 C:\qoobox\ComboFix-quarantined-files.txt 2008-01-05 17:19:15 C:\qoobox\ComboFix2.txt 2008-01-05 00:47:31 C:\qoobox\ComboFix3.txt 2008-01-01 07:26:00 C:\qoobox\ComboFix4.txt 2008-01-01 02:55:07 C:\qoobox\ComboFix5.txt 2007-12-31 15:24:22 . 2007-12-28 05:59:31 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:24:52 PM, on 1/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\zHotkey.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Washer\washer.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\America Online 9.0\aoltray.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0 O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU" O4 - HKCU\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_SE2C.tmp" /EF "HKCU" O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193059601484 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193059577453 O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing) O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 9860 bytes

01-05-2008, 09:43 AM	#44 (permalink)
carynm Registered User Join Date: Dec 2007 Posts: 88 OS: Windows XP	Re: Computer infected, please help! Hi Katana, I uploaded that file for you at spykiller. I guess my computer is still infected. Now, instead of getting pop-ups, my window deselects and my mouse pointer disappears for a couple of seconds, then comes back. It does this quite often, then my window redirects to a chinese website. it did that to me last night too. Just thought I would let you know. Thanks! Caryn

01-05-2008, 02:36 PM	#45 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 722 OS: W2K SP4 + XP SP2 + Vista	Re: Computer infected, please help! Something is hiding, and it is doing a very good job of it ROOTKIT REVEALER Please download Rootkit Revealer Click >>> HERE <<< Extract it to your desktop. Double click the rootkitrevealer folder, and double-click rootkitrevealer.exe Click the Scan button Don't do anything while it's running When it's done, go up to File > Save. Choose to save it to your desktop. Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them in your next reply. __________________

01-06-2008, 05:05 AM	#47 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 722 OS: W2K SP4 + XP SP2 + Vista	Re: Computer infected, please help! Don't worry, one way or another we WILL get this sorted. We will clean all the temp files, and then run the latest version of ComboFix. CCleaner Please download CCleaner from here to clean temp files from your computer. Double click on the ccsetup.exe file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default install location. Under Install Options, choose all the default settings Click Install then finish to complete installation. Double click the CCleaner shortcut on the desktop to start the program. On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla. Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours." Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items. Click on Issues and make sure Registry Integrity is UNchecked! Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program. After CCleaner has completed its process, click Exit. Download and Run ComboFix Download Combofix from one of the links below : ComboFix.exe 1 ComboFix.exe 2 ComboFix.exe 3 You must download it to and run it from your Desktop Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix. Double click combofix.exe & follow the prompts. When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log Re-enable all the programs that were disabled during the running of ComboFix.. Note: Do not mouse-click combofix's window while it is running. That may cause it to stall. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. ComboFix SHOULD NOT be used unless requested by a forum helper If possible, do not shut down or reboot your machine between fixes, as some malware can change names at reboot. ( if a tool we run reboots, that is fine ) __________________