|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
06-22-2008, 03:56 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 5
OS: XP SP2
|
A little help please.
Got something last week it seems while searching on my computer to find a solution to fix a problem with my wife's computer. I don't use IE, so I knew when it popped up the first time something was wrong. IE was popping up all the time, after I closed it, it would pop up again a minute later. Even tried to move, rename, and delete IE, but whenever I did it would find its way back. Ran anti spyware programs and some anti-virus ones but haven't gotten everything.
Right now I have it so that things seem to be running ok, but I know it's still there and is only a matter of time before it starts attacking me again. Deckard's System Scanner v20071014.68 Run by Kevin on 2008-06-22 15:15:16 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 115: 2008-06-22 20:15:22 UTC - RP273 - Deckard's System Scanner Restore Point 114: 2008-06-22 08:08:36 UTC - RP272 - System Checkpoint 113: 2008-06-21 08:00:24 UTC - RP271 - Software Distribution Service 3.0 112: 2008-06-20 23:42:05 UTC - RP270 - Installed AVG Free 8.0 111: 2008-06-20 23:30:41 UTC - RP269 - Avira AntiVir Personal - 6/20/2008 18:30 -- First Restore Point -- 1: 2008-06-15 20:55:58 UTC - RP159 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-06-22 15:16:40 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.0.5730.13) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Kevin\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsaskew.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5mept_ms/157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsaskew.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe, O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - C:\WINDOWS\system32\yayVOGxy.dll (file missing) O2 - BHO: {951104c6-759f-9c89-4df4-b15467165cb1} - {1bc56176-451b-4fd4-98c9-f9576c401159} - C:\WINDOWS\system32\ikdtalag.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {6896AA8F-D206-4839-8696-75A5434A1A27} - C:\WINDOWS\system32\yaywtRiI.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BMe333d2f0] Rundll32.exe "C:\WINDOWS\system32\skwjluik.dll",s O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view22.com/release_3...iew22RTEv4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O18 - Protocol: kitcad2 - {BDC75F00-714C-11D4-A28A-40BD04C10008} - (no file) O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: yayVOGxy - C:\WINDOWS\system32\yayVOGxy.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\acsd.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\incdsrv.exe O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470 service O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7866 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 slntamrr - c:\windows\system32\drivers\slntamrr.sys R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R2 hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT> R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver> R3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39> S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt92> S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager> S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour> S4 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\444.470 service (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-06-18 19:56:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-05-22 and 2008-06-22 ----------------------------- 2008-06-21 01:50:07 0 d--h----- C:\$AVG8.VAULT$ 2008-06-20 21:47:29 0 d-------- C:\Documents and Settings\Kristen\Application Data\AVGTOOLBAR 2008-06-20 18:42:19 0 d-------- C:\WINDOWS\system32\drivers\Avg 2008-06-20 18:42:19 0 d-------- C:\Documents and Settings\Kevin\Application Data\AVGTOOLBAR 2008-06-20 18:42:06 0 d-------- C:\Program Files\AVG 2008-06-20 18:42:05 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-20 18:17:06 0 d-------- C:\Documents and Settings\LocalService\My Documents 2008-06-20 08:40:10 80384 --a------ C:\WINDOWS\system32\lefbxmoa.dll 2008-06-20 08:34:50 90112 --a------ C:\WINDOWS\system32\skwjluik.dll 2008-06-20 08:34:10 740788 --ahs---- C:\WINDOWS\system32\xbLUFfhk.ini2 2008-06-20 08:34:02 322048 --a------ C:\WINDOWS\system32\khfFULbx.dll 2008-06-20 00:21:12 90112 --a------ C:\WINDOWS\system32\nymoeeoh.dll 2008-06-19 21:42:33 90112 --a------ C:\WINDOWS\system32\bgcnxeof.dll 2008-06-18 23:48:42 0 d-------- C:\ZonedOut 2008-06-18 18:34:12 0 d-------- C:\ie-spyad_zo 2008-06-18 18:25:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-18 18:25:34 0 d-------- C:\Program Files\SpywareBlaster 2008-06-17 21:54:16 0 d-------- C:\Program Files\Panda Security 2008-06-15 19:53:00 0 d-------- C:\Program Files\Lavasoft 2008-06-15 19:52:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-15 19:51:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-15 19:38:13 424448 --a------ C:\iexplore.exe <Not Verified; Microsoft Corporation; Microsoft Picture It! 10> 2008-06-15 16:26:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-15 16:25:18 0 dr-h----- C:\Documents and Settings\Kevin\Recent 2008-06-15 16:21:03 0 d-------- C:\Program Files\CCleaner 2008-06-15 16:06:07 13824 --a------ C:\WINDOWS\y.exe 2008-06-15 16:06:06 9984 --a------ C:\WINDOWS\xplugin.dll 2008-06-15 16:06:06 31744 --a------ C:\WINDOWS\x.exe 2008-06-15 16:06:06 32256 --a------ C:\WINDOWS\winmgnt.exe 2008-06-15 16:06:05 31232 --a------ C:\WINDOWS\window.exe 2008-06-15 16:06:05 23040 --a------ C:\WINDOWS\winajbm.dll 2008-06-15 16:06:05 17920 --a------ C:\WINDOWS\win64.exe 2008-06-15 16:06:05 9216 --a------ C:\WINDOWS\win32e.exe 2008-06-15 16:06:05 20480 --a------ C:\WINDOWS\waol.exe 2008-06-15 16:06:05 23296 --a------ C:\WINDOWS\users32.exe 2008-06-15 16:06:04 19712 --a------ C:\WINDOWS\time.exe 2008-06-15 16:06:04 24320 --a------ C:\WINDOWS\systemcritical.exe 2008-06-15 16:06:04 29184 --a------ C:\WINDOWS\systeem.exe 2008-06-15 16:06:04 15360 --a------ C:\WINDOWS\svcinit.exe 2008-06-15 16:06:04 14080 --a------ C:\WINDOWS\svchost32.exe 2008-06-15 16:06:04 23040 --a------ C:\WINDOWS\sistem.exe 2008-06-15 16:06:04 14848 --a------ C:\WINDOWS\searchword.dll 2008-06-15 16:06:03 11264 --a------ C:\WINDOWS\rundll16.exe 2008-06-15 16:06:03 8704 --a------ C:\WINDOWS\quicken.exe 2008-06-15 16:06:03 14336 --a------ C:\WINDOWS\qttasks.exe 2008-06-15 16:06:03 30464 --a------ C:\WINDOWS\olehelp.exe 2008-06-15 16:06:03 20992 --a------ C:\WINDOWS\notepad32.exe 2008-06-15 16:06:03 19712 --a------ C:\WINDOWS\mtwirl32.dll 2008-06-15 16:06:02 21248 --a------ C:\WINDOWS\mswsc20.dll 2008-06-15 16:06:02 21248 --a------ C:\WINDOWS\mswsc10.dll 2008-06-15 16:06:02 27392 --a------ C:\WINDOWS\msupdate.exe 2008-06-15 16:06:01 20736 --a------ C:\WINDOWS\msspi.dll 2008-06-15 16:06:01 19200 --a------ C:\WINDOWS\msconfd.dll 2008-06-15 16:06:01 15360 --a------ C:\WINDOWS\loader.exe 2008-06-15 16:06:01 8704 --a------ C:\WINDOWS\internet.exe 2008-06-15 16:06:01 25600 --a------ C:\WINDOWS\inetinf.exe 2008-06-15 16:06:01 15616 --a------ C:\WINDOWS\iexplorer.exe 2008-06-15 16:06:01 23296 --a------ C:\WINDOWS\iedll.exe 2008-06-15 16:06:01 14848 --a------ C:\WINDOWS\helpcvs.exe 2008-06-15 16:06:01 12544 --a------ C:\WINDOWS\gfmnaaa.dll 2008-06-15 16:06:01 18944 --a------ C:\WINDOWS\funny.exe 2008-06-15 16:06:00 30976 --a------ C:\WINDOWS\funniest.exe 2008-06-15 16:06:00 20736 --a------ C:\WINDOWS\explorer32.exe 2008-06-15 16:06:00 8960 --a------ C:\WINDOWS\explore.exe 2008-06-15 16:06:00 24832 --a------ C:\WINDOWS\editpad.exe 2008-06-15 16:06:00 13312 --a------ C:\WINDOWS\dnsrelay.dll 2008-06-15 16:06:00 14592 --a------ C:\WINDOWS\directx32.exe 2008-06-15 16:06:00 11776 --a------ C:\WINDOWS\ctrlpan.dll 2008-06-15 16:06:00 23552 --a------ C:\WINDOWS\ctfmon32.exe 2008-06-15 16:05:59 32000 --a------ C:\WINDOWS\cpan.dll 2008-06-15 16:05:59 23808 --a------ C:\WINDOWS\clrssn.exe 2008-06-15 16:05:59 9984 --a------ C:\WINDOWS\avpcc.dll 2008-06-15 16:05:59 12032 --a------ C:\WINDOWS\accesss.exe 2008-06-15 15:55:48 729108 --ahs---- C:\WINDOWS\system32\IiRtwyay.ini2 2008-06-15 15:51:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia 2008-06-15 15:51:12 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe 2008-06-15 15:51:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon 2008-06-15 15:51:00 0 d--hs---- C:\WINDOWS\S2V2aW4 2008-06-15 15:50:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\HPAppData 2008-06-15 15:50:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2008-06-15 15:50:57 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-06-15 15:50:49 86144 -----n--- C:\WINDOWS\system32\drivers\slntamrr.sys 2008-06-15 15:50:47 0 d-------- C:\WINDOWS\system32\pb109 2008-06-15 15:50:47 0 d-------- C:\WINDOWS\system32\dgi 2008-06-15 15:50:47 0 d-------- C:\WINDOWS\system32\3039a 2008-06-15 15:50:41 0 d-------- C:\WINDOWS\system32\netrax01 2008-06-15 15:50:41 0 d-------- C:\Temp 2008-06-08 13:28:17 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2008-06-08 13:26:56 265216 --a------ C:\WINDOWS\system32\NVIEWLIB.DLL <Not Verified; K. Nishita; NishitaViewer Library 1.1.4> 2008-06-08 13:26:56 352256 --a------ C:\WINDOWS\system32\ijl15.dll <Not Verified; Intel Corporation; Intel® JPEG Library> 2008-06-08 13:26:56 0 d-------- C:\Program Files\Kitchen Designs for Everyone 2008-06-08 11:35:14 908800 --a------ C:\WINDOWS\system32\CP3245MT.DLL <Not Verified; Inprise Corporation; Borland C++ Builder 4.0> 2008-06-08 11:35:14 24064 --a------ C:\WINDOWS\system32\BORLNDMM.DLL <Not Verified; Inprise Corporation; Borland Memory Manager> 2008-06-08 11:35:12 0 d-------- C:\Program Files\Kitchen 2008-06-08 11:35:12 0 d-------- C:\Program Files\Common Files\Borland Shared 2008-06-08 11:35:07 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller> 2008-06-08 11:34:17 38908 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-06-08 11:22:50 0 d-------- C:\Program Files\View22 2008-06-08 11:17:42 0 d-------- C:\Program Files\Safari 2008-06-08 11:17:25 0 d-------- C:\Program Files\Bonjour 2008-06-08 10:36:30 0 d-------- C:\Documents and Settings\All Users\Application Data\View22 2008-05-31 17:53:44 0 d-------- C:\Program Files\Coupons 2008-05-30 19:48:16 0 d-------- C:\Star Wars - Episode I.I - The Phantom Edit 2008-05-27 23:52:34 0 d-------- C:\Program Files\PixiePack Codec Pack 2008-05-27 22:58:21 0 d-------- C:\Documents and Settings\Kevin\Application Data\Tunebite 2008-05-27 22:57:26 0 d-------- C:\Program Files\RapidSolution 2008-05-27 22:57:26 0 d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution -- Find3M Report --------------------------------------------------------------- 2008-06-15 19:51:49 0 d-------- C:\Program Files\Common Files 2008-06-15 12:01:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-06-08 13:26:56 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-08 11:18:11 0 d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer 2008-06-08 10:32:09 0 d-------- C:\Documents and Settings\Kevin\Application Data\Yahoo! 2008-05-31 16:02:50 0 d-------- C:\Program Files\Microsoft Digital Image 10 2008-05-15 16:13:31 0 d-------- C:\Program Files\SmartFTP Client 2008-05-15 16:13:10 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files 2008-05-05 22:44:51 6656 --a------ C:\WINDOWS\system32\haspvdd.dll <Not Verified; Aladdin Knowledge Systems.; Windows NT HASP Virtual Device Driver> 2008-05-05 22:44:51 383 --a------ C:\WINDOWS\system32\haspdos.sys 2008-05-05 22:43:49 0 d-------- C:\Program Files\DivX 2008-05-05 22:42:10 0 d-------- C:\Program Files\Common Files\Canopus Shared 2008-05-05 22:42:08 0 d-------- C:\Program Files\Canopus 2008-05-05 22:35:48 0 d-------- C:\Documents and Settings\Kevin\Application Data\Canopus 2008-05-01 14:38:46 0 d-------- C:\Program Files\Real 2008-05-01 14:38:27 0 d-------- C:\Program Files\MSN Messenger 2008-04-29 10:41:25 0 d-------- C:\Program Files\Recuva 2008-04-29 10:29:37 0 d-------- C:\Program Files\Data Doctor Recovery FAT+NTFS (Demo) 2008-04-23 01:08:04 0 d-------- C:\Program Files\Zune 2008-04-22 23:58:04 0 d-------- C:\Program Files\DVD Decrypter -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}] 03/02/2007 05:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13F20E4F-F379-41EA-8F80-CCAAE787362A}] C:\WINDOWS\system32\yayVOGxy.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bc56176-451b-4fd4-98c9-f9576c401159}] C:\WINDOWS\system32\ikdtalag.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6896AA8F-D206-4839-8696-75A5434A1A27}] C:\WINDOWS\system32\yaywtRiI.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}] 06/20/2008 06:42 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/20/2008 06:42 PM 2050816] [-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}] [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nForce Tray Options"="sstray.exe" [09/03/2003 05:25 PM C:\WINDOWS\system32\sstray.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/04/2004 09:29 AM] "BMe333d2f0"="C:\WINDOWS\system32\skwjluik.dll" [06/20/2008 08:34 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [5/1/2004 1:09:15 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{13F20E4F-F379-41EA-8F80-CCAAE787362A}"= C:\WINDOWS\system32\yayVOGxy.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayVOGxy] yayVOGxy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\yaywtRiI [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe333d2f0] Rundll32.exe "C:\WINDOWS\system32\skwjluik.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] zHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e000e16c] rundll32.exe "C:\WINDOWS\system32\lefbxmoa.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MsSecurity1.209.4"=2 (0x2) "InCDsrv"=2 (0x2) "Bonjour Service"=2 (0x2) "AOL ACS"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}] C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe -- End of Deckard's System Scanner: finished at 2008-06-22 15:17:35 ------------ |
|
     
|
|
06-24-2008, 07:19 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,210
OS: XP
|
Re: A little help please.
Hello and welcome to TSF
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please Do Not Attach logs to your posts unless you are advised to do so. ======== Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ========= Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Viewpoint Media Player <----Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 Additional Information Here and Here ========= Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:SDFix) Please then reboot your computer in Safe Mode by doing the following :
========= Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required Report.txt C:\Combofix.txt Hijackthis Log
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
06-25-2008, 08:44 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 5
OS: XP SP2
|
Re: A little help please.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:19 PM, on 6/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\BigFix.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\explorer.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsaskew.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsaskew.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5mept_ms/157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: {951104c6-759f-9c89-4df4-b15467165cb1} - {1bc56176-451b-4fd4-98c9-f9576c401159} - C:\WINDOWS\system32\ikdtalag.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {6896AA8F-D206-4839-8696-75A5434A1A27} - C:\WINDOWS\system32\yaywtRiI.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view22.com/release_3...iew22RTEv4.cab O18 - Protocol: kitcad2 - {BDC75F00-714C-11D4-A28A-40BD04C10008} - (no file) O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 6419 bytes ComboFix 08-06-20.4 - Kevin 2008-06-25 22:55:14.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.576 [GMT -5:00] Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Kevin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMe333d2f0.xml C:\WINDOWS\cookies.ini C:\WINDOWS\mainms.vpi C:\WINDOWS\pskt.ini C:\WINDOWS\system32\aomxbfel.ini C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\cwfdwyht.ini C:\WINDOWS\system32\dldcyuuk.ini C:\WINDOWS\system32\dpumxdni.ini C:\WINDOWS\system32\drivers\slntamrr.sys C:\WINDOWS\system32\dxeucwxk.ini C:\WINDOWS\system32\IiRtwyay.ini C:\WINDOWS\system32\IiRtwyay.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\nbtoudhe.ini C:\WINDOWS\system32\qetsktde.ini C:\WINDOWS\system32\vaivnjkb.ini C:\WINDOWS\system32\xbLUFfhk.ini C:\WINDOWS\system32\xbLUFfhk.ini2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_SLNTAMRR -------\Service_slntamrr ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . SDFix: Version 1.197 Run by Kevin on Wed 06/25/2008 at 09:19 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : MsSecurity1.209.4 Path : C:\WINDOWS\444.470 service MsSecurity1.209.4 - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\Documents and Settings\Kevin\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted C:\Temp\1cb\syscheck.log - Deleted C:\WINDOWS\x.exe - Deleted C:\WINDOWS\y.exe - Deleted C:\iexplore.exe - Deleted C:\WINDOWS\accesss.exe - Deleted C:\WINDOWS\astctl32.ocx - Deleted C:\WINDOWS\avpcc.dll - Deleted C:\WINDOWS\clrssn.exe - Deleted C:\WINDOWS\cpan.dll - Deleted C:\WINDOWS\ctfmon32.exe - Deleted C:\WINDOWS\ctrlpan.dll - Deleted C:\WINDOWS\default.htm - Deleted C:\WINDOWS\directx32.exe - Deleted C:\WINDOWS\dnsrelay.dll - Deleted C:\WINDOWS\editpad.exe - Deleted C:\WINDOWS\explore.exe - Deleted C:\WINDOWS\explorer32.exe - Deleted C:\WINDOWS\funniest.exe - Deleted C:\WINDOWS\funny.exe - Deleted C:\WINDOWS\gfmnaaa.dll - Deleted C:\WINDOWS\helpcvs.exe - Deleted C:\WINDOWS\iedll.exe - Deleted C:\WINDOWS\iexplorer.exe - Deleted C:\WINDOWS\inetinf.exe - Deleted C:\WINDOWS\internet.exe - Deleted C:\WINDOWS\loader.exe - Deleted C:\WINDOWS\megavid.cdt - Deleted C:\WINDOWS\msconfd.dll - Deleted C:\WINDOWS\msspi.dll - Deleted C:\WINDOWS\msupdate.exe - Deleted C:\WINDOWS\mswsc10.dll - Deleted C:\WINDOWS\mswsc20.dll - Deleted C:\WINDOWS\mtwirl32.dll - Deleted C:\WINDOWS\muotr.so - Deleted C:\WINDOWS\notepad32.exe - Deleted C:\WINDOWS\olehelp.exe - Deleted C:\WINDOWS\qttasks.exe - Deleted C:\WINDOWS\quicken.exe - Deleted C:\WINDOWS\rundll16.exe - Deleted C:\WINDOWS\rundll32.vbe - Deleted C:\WINDOWS\searchword.dll - Deleted C:\WINDOWS\sistem.exe - Deleted C:\WINDOWS\svchost32.exe - Deleted C:\WINDOWS\svcinit.exe - Deleted C:\WINDOWS\systeem.exe - Deleted C:\WINDOWS\systemcritical.exe - Deleted C:\WINDOWS\system32\pac.txt - Deleted C:\WINDOWS\time.exe - Deleted C:\WINDOWS\users32.exe - Deleted C:\WINDOWS\waol.exe - Deleted C:\WINDOWS\win32e.exe - Deleted C:\WINDOWS\win64.exe - Deleted C:\WINDOWS\winajbm.dll - Deleted C:\WINDOWS\window.exe - Deleted C:\WINDOWS\winmgnt.exe - Deleted C:\WINDOWS\xplugin.dll - Deleted C:\WINDOWS\xxxvideo.hta - Deleted Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed Folder C:\Temp\1cb - Removed Folder C:\Temp\tn3 - Removed Folder C:\WINDOWS\system32\netrax01 - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-25 22:17:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM" "C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Documents and Settings\\Kevin\\Desktop\\dss.exe"="C:\\Documents and Settings\\Kevin\\Desktop\\dss.exe:*:Enabled:dss.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : C:\WINDOWS\system32\drivers\core.cache.dsk Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 5 Mar 2002 106,564 A..H. --- "C:\Program Files\CompuServe 7.0\csphx.exe" Tue 5 Mar 2002 32,840 A..H. --- "C:\Program Files\CompuServe 7.0\cstray.exe" Tue 5 Mar 2002 40,960 A..H. --- "C:\Program Files\CompuServe 7.0\RBM.exe" Tue 5 Mar 2002 180,288 A..H. --- "C:\Program Files\CompuServe 7.0\wcs2000.exe" Tue 5 Mar 2002 77,894 A..H. --- "C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe" Sat 16 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Tue 6 Apr 2004 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" Wed 12 Dec 2001 102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll" Finished! |
|
|
|
|
06-26-2008, 05:17 AM
|
#4 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,210
OS: XP
|
Re: A little help please.
Please post the Combofix log in its entirety.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
06-26-2008, 05:01 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 5
OS: XP SP2
|
Re: A little help please.
ComboFix 08-06-20.4 - Kevin 2008-06-25 22:55:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.576 [GMT -5:00] Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Kevin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMe333d2f0.xml C:\WINDOWS\cookies.ini C:\WINDOWS\mainms.vpi C:\WINDOWS\pskt.ini C:\WINDOWS\system32\aomxbfel.ini C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\cwfdwyht.ini C:\WINDOWS\system32\dldcyuuk.ini C:\WINDOWS\system32\dpumxdni.ini C:\WINDOWS\system32\drivers\slntamrr.sys C:\WINDOWS\system32\dxeucwxk.ini C:\WINDOWS\system32\IiRtwyay.ini C:\WINDOWS\system32\IiRtwyay.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\nbtoudhe.ini C:\WINDOWS\system32\qetsktde.ini C:\WINDOWS\system32\vaivnjkb.ini C:\WINDOWS\system32\xbLUFfhk.ini C:\WINDOWS\system32\xbLUFfhk.ini2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_SLNTAMRR -------\Service_slntamrr ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-25 22:14 . 2008-06-25 22:14 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk 2008-06-25 21:13 . 2008-06-25 21:13 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-25 21:10 . 2008-06-25 22:22 <DIR> d-------- C:\SDFix 2008-06-25 19:35 . 2008-06-25 19:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-22 16:58 . 2008-06-22 16:58 <DIR> d-------- C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit 2008-06-22 15:14 . 2008-06-22 15:14 <DIR> d-------- C:\Deckard 2008-06-22 11:06 . 2008-06-22 11:15 77,448,657 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part43.rar 2008-06-22 02:02 . 2008-06-22 02:13 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part41.rar 2008-06-21 22:07 . 2008-06-21 22:19 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part42.rar 2008-06-21 01:50 . 2008-06-24 04:11 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-06-20 21:47 . 2008-06-21 02:08 <DIR> d-------- C:\Documents and Settings\Kristen\Application Data\AVGTOOLBAR 2008-06-20 18:42 . 2008-06-25 19:21 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-06-20 18:42 . 2008-06-20 18:42 <DIR> d-------- C:\Program Files\AVG 2008-06-20 18:42 . 2008-06-20 18:51 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\AVGTOOLBAR 2008-06-20 18:42 . 2008-06-20 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-20 18:42 . 2008-06-20 18:42 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-06-20 18:42 . 2008-06-20 18:42 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-06-20 18:42 . 2008-06-20 18:42 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-06-20 08:40 . 2008-06-20 08:40 80,384 --a------ C:\WINDOWS\system32\lefbxmoa.dll 2008-06-20 08:34 . 2008-06-20 08:34 322,048 --a------ C:\WINDOWS\system32\khfFULbx.dll 2008-06-20 08:30 . 2008-06-20 08:41 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part40.rar 2008-06-20 00:21 . 2008-06-20 00:21 90,112 --a------ C:\WINDOWS\system32\nymoeeoh.dll 2008-06-19 22:41 . 2008-06-19 22:52 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part39.rar 2008-06-19 21:42 . 2008-06-19 21:42 90,112 --a------ C:\WINDOWS\system32\bgcnxeof.dll 2008-06-19 20:21 . 2008-06-19 20:32 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part38.rar 2008-06-19 12:53 . 2008-06-19 13:04 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part37.rar 2008-06-19 00:52 . 2008-06-19 01:03 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part36.rar 2008-06-18 23:48 . 2008-06-19 00:05 <DIR> d-------- C:\ZonedOut 2008-06-18 20:48 . 2008-06-18 20:59 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part35.rar 2008-06-18 18:34 . 2008-06-18 18:34 <DIR> d-------- C:\ie-spyad_zo 2008-06-18 18:25 . 2008-06-21 00:44 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-18 18:25 . 2008-06-21 00:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-17 22:28 . 2008-06-17 22:40 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part34.rar 2008-06-17 21:54 . 2008-06-17 21:55 <DIR> d-------- C:\Program Files\Panda Security 2008-06-17 21:43 . 2008-06-21 23:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-17 21:43 . 2008-06-17 21:43 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-15 19:53 . 2008-06-15 19:53 <DIR> d-------- C:\Program Files\Lavasoft 2008-06-15 19:52 . 2008-06-15 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-15 19:51 . 2008-06-15 19:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-15 19:30 . 2008-06-15 19:41 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part33.rar 2008-06-15 16:26 . 2008-06-20 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-15 16:21 . 2008-06-15 16:21 <DIR> d-------- C:\Program Files\CCleaner 2008-06-15 15:51 . 2008-06-15 22:32 <DIR> d--hs---- C:\WINDOWS\S2V2aW4 2008-06-15 15:50 . 2008-06-15 16:30 <DIR> d-------- C:\WINDOWS\system32\pb109 2008-06-15 15:50 . 2008-06-15 22:32 <DIR> d-------- C:\WINDOWS\system32\dgi 2008-06-15 15:50 . 2008-06-15 16:30 <DIR> d-------- C:\WINDOWS\system32\3039a 2008-06-15 15:50 . 2008-06-15 15:50 <DIR> d-------- C:\Temp\itmp4 2008-06-15 15:50 . 2008-06-25 22:17 <DIR> d-------- C:\Temp 2008-06-15 15:50 . 2008-06-15 15:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2008-06-15 15:50 . 2008-06-15 15:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HPAppData 2008-06-15 12:18 . 2008-06-15 12:50 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part32.rar 2008-06-14 21:21 . 2008-06-14 21:39 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part31.rar 2008-06-14 13:30 . 2008-06-14 13:41 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part30.rar 2008-06-14 10:18 . 2008-06-14 10:29 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part29.rar 2008-06-13 20:07 . 2008-06-13 20:19 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part28.rar 2008-06-13 12:47 . 2008-06-13 12:59 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part27.rar 2008-06-13 00:59 . 2008-06-13 01:12 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part26.rar 2008-06-12 20:41 . 2008-06-12 21:30 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part25.rar 2008-06-11 21:51 . 2008-06-11 22:04 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part23.rar 2008-06-11 17:59 . 2008-06-11 18:11 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part24.rar 2008-06-11 07:24 . 2008-06-13 08:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-10 21:14 . 2008-06-10 21:25 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part22.rar 2008-06-10 01:15 . 2008-06-10 01:26 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part20.rar 2008-06-09 22:32 . 2008-06-09 22:43 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part21.rar 2008-06-08 13:28 . 1999-05-06 19:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx 2008-06-08 13:28 . 1998-06-23 18:00 137,000 --a------ C:\WINDOWS\system32\MSMAPI32.OCX 2008-06-08 13:28 . 1999-03-26 02:00 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-06-08 13:28 . 1999-06-15 15:30 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL 2008-06-08 13:26 . 2008-06-08 13:51 <DIR> d-------- C:\Program Files\Kitchen Designs for Everyone 2008-06-08 13:26 . 2002-03-06 22:58 352,256 --a------ C:\WINDOWS\system32\ijl15.dll 2008-06-08 13:26 . 2002-03-05 01:17 265,216 --a------ C:\WINDOWS\system32\NVIEWLIB.DLL 2008-06-08 11:35 . 2008-06-08 11:36 <DIR> d-------- C:\Program Files\Kitchen 2008-06-08 11:35 . 2008-06-08 11:35 <DIR> d-------- C:\Program Files\Common Files\Borland Shared 2008-06-08 11:34 . 2008-06-08 11:34 38,908 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-06-08 11:22 . 2008-06-08 11:22 <DIR> d-------- C:\Program Files\View22 2008-06-08 11:17 . 2008-06-08 11:17 <DIR> d-------- C:\Program Files\Safari 2008-06-08 11:17 . 2008-06-08 11:17 <DIR> d-------- C:\Program Files\Bonjour 2008-06-08 10:39 . 2008-06-08 10:52 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part19.rar 2008-06-08 10:36 . 2008-06-08 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22 2008-06-08 10:36 . 2006-08-01 23:22 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll 2008-06-07 22:46 . 2008-06-07 22:57 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part18.rar 2008-06-07 10:26 . 2008-06-07 10:37 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part17.rar 2008-06-06 19:49 . 2008-06-06 20:01 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part16.rar 2008-06-06 00:33 . 2008-06-06 00:44 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part15.rar 2008-06-05 21:58 . 2008-06-05 22:09 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part14.rar 2008-06-05 01:47 . 2008-06-05 01:58 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part13.rar 2008-06-04 17:51 . 2008-06-04 18:02 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part12.rar 2008-06-03 22:46 . 2008-06-03 22:57 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part11.rar 2008-06-03 20:17 . 2008-06-03 20:46 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part10.rar 2008-06-02 22:28 . 2008-06-02 22:41 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part09.rar 2008-06-02 18:01 . 2008-06-02 18:13 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part08.rar 2008-06-02 01:36 . 2008-06-02 01:47 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part07.rar 2008-06-01 14:17 . 2008-06-01 14:41 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part06.rar 2008-05-31 18:18 . 2008-05-31 18:42 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part05.rar 2008-05-31 17:54 . 2008-05-31 17:54 206,168 -ra------ C:\WINDOWS\system32\cpnprt2.cid 2008-05-31 17:53 . 2008-05-31 17:53 <DIR> d-------- C:\Program Files\Coupons 2008-05-31 15:55 . 2008-05-31 16:19 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part04.rar 2008-05-31 10:14 . 2008-05-31 10:34 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part03.rar 2008-05-30 20:33 . 2008-05-30 01:42 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part01.rar 2008-05-30 20:32 . 2008-05-30 20:49 104,857,000 --a------ C:\Star_Wars_-__Episode_I.I_-_The_Phantom_Edit.part02.rar 2008-05-30 19:48 . 2008-05-30 19:48 <DIR> d-------- C:\Star Wars - Episode I.I - The Phantom Edit 2008-05-27 23:52 . 2008-05-27 23:52 <DIR> d-------- C:\Program Files\PixiePack Codec Pack 2008-05-27 22:58 . 2008-05-27 23:52 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Tunebite 2008-05-27 22:58 . 2008-02-20 13:47 27,936 --a------ C:\WINDOWS\system32\drivers\tbhsd.sys 2008-05-27 22:57 . 2008-05-27 22:57 <DIR> d-------- C:\Program Files\RapidSolution 2008-05-27 22:57 . 2008-05-27 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-22 22:17 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Ahead 2008-06-15 20:55 --------- d-----w C:\Documents and Settings\Kristen\Application Data\HPAppData 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-08 18:26 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-08 16:18 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Apple Computer 2008-06-08 15:32 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Yahoo! 2008-05-31 21:02 --------- d-----w C:\Program Files\Microsoft Digital Image 10 2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-15 21:14 --------- d-----w C:\Documents and Settings\Kristen\Application Data\SmartFTP 2008-05-15 21:13 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files 2008-05-15 21:13 --------- d-----w C:\Program Files\SmartFTP Client 2008-05-10 06:56 --------- d-----w C:\Documents and Settings\Kristen\Application Data\Template 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 01:30 --------- d-----w C:\Documents and Settings\Kristen\Application Data\Canopus 2008-05-06 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Canopus 2008-05-06 03:44 665,600 ----a-w C:\WINDOWS\system32\drivers\hardlock.sys 2008-05-06 03:44 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll 2008-05-06 03:44 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys 2008-05-06 03:43 --------- d-----w C:\Program Files\DivX 2008-05-06 03:42 --------- d-----w C:\Program Files\Common Files\Canopus Shared 2008-05-06 03:42 --------- d-----w C:\Program Files\Canopus 2008-05-06 03:35 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Canopus 2008-05-01 19:38 --------- d-----w C:\Program Files\Real 2008-05-01 19:38 --------- d-----w C:\Program Files\MSN Messenger 2008-04-30 16:33 --------- d-----w C:\Documents and Settings\Kristen\Application Data\Yahoo! 2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-29 15:41 --------- d-----w C:\Program Files\Recuva 2008-04-29 15:29 --------- d-----w C:\Program Files\Data Doctor Recovery FAT+NTFS (Demo) 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bc56176-451b-4fd4-98c9-f9576c401159}] C:\WINDOWS\system32\ikdtalag.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6896AA8F-D206-4839-8696-75A5434A1A27}] C:\WINDOWS\system32\yaywtRiI.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 18:42 1177368] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-04 09:29 2904064] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-05-01 13:09:15 1742384] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.CDVC"= cdvccodc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe333d2f0] C:\WINDOWS\system32\skwjluik.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] --a------ 2003-06-04 10:01 496640 C:\WINDOWS\zHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e000e16c] --a------ 2008-06-20 08:40 80384 C:\WINDOWS\system32\lefbxmoa.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series] --a------ 2003-07-08 03:00 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2007-03-11 22:34 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2003-12-18 02:40 1241138 C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2003-06-07 19:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.Exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer] --a------ 2004-04-28 01:41 188416 C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options] --a------ 2003-09-03 17:25 73728 C:\WINDOWS\system32\sstray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2004-03-04 09:29 2904064 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2004-03-04 09:29 46080 C:\WINDOWS\System32\NvMcTray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2004-03-04 09:29 782336 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] --a------ 2004-03-12 14:18 135168 C:\Program Files\eMachines Bay Reader\shwiconem.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] --a------ 2008-01-11 17:54 166304 C:\Program Files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MsSecurity1.209.4"=2 (0x2) "InCDsrv"=2 (0x2) "Bonjour Service"=2 (0x2) "AOL ACS"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\BitTornado\\btdownloadgui.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Documents and Settings\\Kevin\\Desktop\\dss.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 18:42] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 18:42] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 18:42] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 18:42] R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39] R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54] S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}] C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder "2008-06-26 00:56:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-25 22:58:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\DOCUME~1\Kevin\LOCALS~1\Temp\eb363312-a54f-4798-b4f8-57e5e5dd40a3.tmp 0 bytes scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ************************************************************************** . Completion time: 2008-06-25 23:03:14 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-26 04:03:11 Pre-Run: 44,091,957,248 bytes free Post-Run: 44,657,532,928 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 320 --- E O F --- 2008-06-21 08:01:02 |
|
|
|
