Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Infestation, mostly cleared?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 06-03-2007, 01:56 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Infestation, mostly cleared?
Infested!

Trojans; foop, peacomm, downloader-warevenue, akella, backdr-qho, agent winlockon, phister-bzub, zero, rustok-r, girlfriend, small-eja, backdoor-lev,
countofe. dorf-f

Adware amaena.com fake alert, purityscan, virtumonde, and 5 spy cookies.

All (possibly) removed, but something still has its claws in my PC 'cos I get regular system locks :-(

Also on loading get a RUNDLL error "Error loading c:\windows\system32\riadaxis.dll" ~ perhaps I was a bit keen in deleting files, but I have no idea which program to reinstall!

Any help please only use words of up to two sylables. 'cos this is my first experience of these waters.

Thanks Paul

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:29:12, on 03/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\SUPERPEN\PenCmder.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Hijack\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://by112fd.bay112.hotmail.msn.co...-0000-0000-000

000000001&a=858d1f2f4b433d6254e03f66e0ba9d24cf6d0f2805e29e9feaeb4589d1973a51&curmbox=00000000-0000-0000-0000-000000000001&a=858d1f2f4b433d6254e03f66e

0ba9d24cf6d0f2805e29e9feaeb4589d1973a51 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: (no name) - {E57CFFE0-5543-4C78-8874-FA0E526F2C06} - (no file)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [YeppStudioAgent] "C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BigDog303] "C:\WINDOWS\VM303_STI.EXE" VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eBayToolbar] "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [statemdd] ipsefrgy.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [setup] "rundll32.exe" "C:\WINDOWS\system32\riadaxis.dll",realset
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [PenCommander] C:\SUPERPEN\PenCmder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [statemdd] ipsefrgy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Osan] "C:\DOCUME~1\Paul\MYDOCU~1\CROSOF~1\iexplore.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Quintura - C:\Program Files\Quintura Inc\Quintura Search\Quintura.htm.ie
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager

6\Mm6InternetExplorer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Quintura Search - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra 'Tools' menuitem: Quintura - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...?1135723058937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O20 - Winlogon Notify: opnonkk - C:\WINDOWS\
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 13169 bytes
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-08-2007, 05:15 AM   #2 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi Guys, a week has passed ~ am I being impatient by bumping this?
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-11-2007, 12:49 PM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Sorry for any delay in replying, the forum is very busy and a bit understaffed.

  1. Download combofix.exe to your desktop.
  2. Double click on combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

I see you're using HJT v2 Beta

As v2 is still in Beta. We prefer to use version 1.99.1 at this time. Please uninstall HJT v2 Beta

Next, download and use version 1.99.1

Here's the link:

http://www.merijn.org/files/HijackThis.exe

Post a new log from this version, please.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2007, 01:37 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi Tetonbob, Thanks for taking the time to reply ~ I do realise its a free service which is why I was tentative about bumping it.

I loaded and ran combofix but it hung my computer. I tried several runs. Opening [processes running] then clicking combofix you can see its running and doing something but the moment you click on anything (including processes running) the machine freezes. I did try switching off my virus protection, same result. I did run combofix overnight (without clicking anything) ~ machine was running next morning but clicking anything hung it.

I'm running windows XP with all Microsoft service patches applied.

Downloaded earlier HijackThis as you requested ~ these are the results

Logfile of HijackThis v1.99.1
Scan saved at 20:21:55, on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\SUPERPEN\PenCmder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by112fd.bay112.hotmail.msn.co...eb4589d1973a51 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: (no name) - {E57CFFE0-5543-4C78-8874-FA0E526F2C06} - (no file)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [YeppStudioAgent] "C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BigDog303] "C:\WINDOWS\VM303_STI.EXE" VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eBayToolbar] "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [statemdd] ipsefrgy.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [setup] "rundll32.exe" "C:\WINDOWS\system32\riadaxis.dll",realset
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [PenCommander] C:\SUPERPEN\PenCmder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [statemdd] ipsefrgy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Osan] "C:\DOCUME~1\Paul\MYDOCU~1\CROSOF~1\iexplore.exe" -vt ndrv
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Quintura - C:\Program Files\Quintura Inc\Quintura Search\Quintura.htm.ie
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Quintura Search - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra 'Tools' menuitem: Quintura - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135723058937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: opnonkk - C:\WINDOWS\
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2007, 07:27 AM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Let's try a slightly different tack.

Delete your existing version of ComboFix, look for C:\ComboFix and delete it if it exists, and let's try this again.

Download ComboFix from one of these locations. Place it on your desktop.
---------------------------------------------------------------------------------------------

Spywareguard

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

---------------------------------------------------------------------------------------------

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • See this link for a tutorial

---------------------------------------------------------------------------------------------

Webroot SpySweeper

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable Webroot SpySweeper:
  • Click on Options> then Program tab
  • Uncheck Load at Windows Startup
  • Click Shields on the left.
  • Click Web Broswer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Exit Spysweeper.

---------------------------------------------------------------------------------------------

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
  • Open Windows Defender.
  • Click on Tools>Options.
  • Scroll down and uncheck "Use real-time protection (recommended)".
  • After you uncheck this, click on the Save button and close Windows Defender.

---------------------------------------------------------------------------------------------

Run ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

It shouldn't take more than 20 minutes to scan and possibly reboot your machine.

Please do nothing with the machine while it's working.

If after 20 minutes it's still stalled, close the command window, and report back.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2007, 04:37 PM   #6 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi,

Not 100% successful.
I think I followed your instructions (very clear, thanks).
Ran Combofix, things appeared to happen in the background. Had to go out. (I have limited time on my home machine, sorry)
3 hours later nothing ~ did three finger salute and Combofix started up.
Let it run. Rebooted and my spyware stuff came back switched on.
2x error messages, Windows security alert, Firewall blocked, ActiveSync RAPI Manager trying to access the Internet.
I clicked the "Not allow" button.

sometings trying to change IEpage from www.google.com to http://www.microsoft.com/sapi/redir....=iear=iesearch
I said nope and it reset to google.

My browser of choice is Firefox, but that was not now the default browser ~ I said Yes to make it so.

Combofix log follows

ComboFix 07-06-13.3 - C:\Documents and Settings\Paul\Desktop\ComboFix.exe
"Paul" - 2007-06-13 23:21:55 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\oovghllo.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Paul\MYDOCU~1.\crosof~1
C:\WINDOWS\ecurit~1
C:\WINDOWS\racle~1
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wnsapiisv.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 20:23 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-06-11 20:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 23:56 89,360 --a------ C:\WINDOWS\system32\Vb5db.dll
2007-06-06 23:56 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-06-06 23:56 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2007-06-06 23:56 316,344 --a------ C:\WINDOWS\system32\TDBGPP.DLL
2007-06-06 23:56 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2007-06-06 23:56 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2007-06-06 23:56 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.dll
2007-06-06 23:56 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-06-06 23:56 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2007-06-06 23:56 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2007-06-06 23:56 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2007-06-06 23:56 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2007-06-06 23:56 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2007-06-06 23:56 123,664 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-06-06 23:56 1,046,288 --a------ C:\WINDOWS\system32\msjet35.dll
2007-06-06 23:56 <DIR> d-------- C:\Program Files\SOFTplus
2007-06-03 20:28 <DIR> d-------- C:\Hijack
2007-06-01 22:52 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-01 22:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-01 19:27 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-01 19:27 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-01 19:27 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-06-01 19:27 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-01 19:27 <DIR> d-------- C:\Program Files\Webroot
2007-06-01 19:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-06-01 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-01 19:25 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\Webroot
2007-06-01 14:17 164 --a------ C:\install.dat
2007-06-01 14:12 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\GetRightToGo
2007-06-01 14:07 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2007-06-01 13:49 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-01 13:48 <DIR> d-------- C:\Program Files\MSBuild
2007-06-01 13:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-01 13:43 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-01 13:42 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-01 13:42 <DIR> d-------- C:\79a6804fc203ec0d9a6c
2007-06-01 13:33 <DIR> d-------- C:\Program Files\Messenger
2007-06-01 13:24 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-06-01 13:24 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-06-01 13:24 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-06-01 13:10 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-01 13:01 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-06-01 11:06 134,380 --a------ C:\WINDOWS\system32\alt.exe
2007-06-01 11:02 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ypwfkzup.exe
2007-06-01 11:02 206 --a------ C:\WINDOWS\g46183890.exe
2007-06-01 10:40 782,336 --a------ C:\WINDOWS\system32\IlmImf.dll
2007-06-01 10:40 53,248 --a------ C:\WINDOWS\system32\pmexr.dll
2007-06-01 10:40 353,280 --a------ C:\WINDOWS\system32\pmtf2.dll
2007-06-01 10:40 274,432 --a------ C:\WINDOWS\system32\lcms.dll
2007-06-01 10:40 271,872 --a------ C:\WINDOWS\system32\PhotomatixLib.dll
2007-06-01 10:40 229,376 --a------ C:\WINDOWS\system32\PhotomatixLib2.dll
2007-06-01 10:40 216,064 --a------ C:\WINDOWS\system32\pmjp.dll
2007-06-01 10:40 205,824 --a------ C:\WINDOWS\system32\pmtf1.dll
2007-06-01 10:40 204,288 --a------ C:\WINDOWS\system32\pmtf3.dll
2007-06-01 10:40 112,128 --a------ C:\WINDOWS\system32\PhotomatixLib3.dll
2007-06-01 10:40 11,776 --a------ C:\WINDOWS\system32\pmbm.dll
2007-06-01 10:40 <DIR> d-------- C:\Program Files\Photomatix
2007-05-24 19:50 <DIR> d-------- C:\Program Files\CachemanXP
2007-05-16 00:27 <DIR> d-------- C:\Program Files\DxO Labs
2007-05-15 21:08 <DIR> d-------- C:\Temp\Nikon


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 17:32:59 -------- d-----w C:\Program Files\Lx_cats
2007-06-10 17:19:03 -------- d-----w C:\Program Files\Avery Wizard
2007-05-27 23:35:04 -------- d-----w C:\DOCUME~1\Paul\APPLIC~1\ZipGenius
2007-05-27 22:51:36 -------- d-----w C:\DOCUME~1\Paul\APPLIC~1\Skype
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 19:12:24 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 10:18:22 -------- d-----w C:\Program Files\WinHTTrack
2007-04-27 10:49:10 -------- d-----w C:\Program Files\Alchemy Mindworks
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-22 09:14:06 -------- d-----w C:\DOCUME~1\Paul\APPLIC~1\AdobeUM
2007-04-20 12:38:20 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-20 10:51:59 -------- d-----w C:\Program Files\Symantec
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 22:56:09 76,560 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-12-07 15:06]
{22D8E815-4A5E-4DFB-845E-AAB64207F5BD}=C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll [2007-05-04 09:17]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-03 00:24]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{69A87B7D-DE56-4136-9655-716BA50C19C7}=C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll [2007-03-29 21:34]
{AC41D38F-B56D-40AD-94E0-B493D130C959}=C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll [2005-09-13 03:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 12:02]
"Run StartupMonitor"="StartupMonitor.exe" []
"YeppStudioAgent"="C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe" [2005-09-12 15:21]
"WService"="WService.EXE" [2002-09-07 19:23 C:\WINDOWS\system32\WService.exe]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2006-02-07 21:54]
"MOD"="C:\Program Files\Microangelo\muamgr.exe" [2004-07-27 11:22]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-01 03:52]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\ALCMTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-22 19:11]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2007-05-04 09:17]
"statemdd"="ipsefrgy.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PenCommander"="C:\SUPERPEN\PenCmder.exe" [2002-10-18 04:31]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-09-10 21:46]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 09:57]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"statemdd"="ipsefrgy.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2003-04-14 20:05]
"Osan"="C:\DOCUME~1\Paul\MYDOCU~1\CROSOF~1\iexplore.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnonkk]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32]
winexz32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-13 19:36:48 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 23:24:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [3896]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-13 23:25:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-13 23:25

--- E O F ---
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2007, 08:59 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Hi Big Paul -

Looks like ComboFix was able to remove some of the infections I wanted it to, despite the issues.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"statemdd"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"statemdd"=-
"Osan"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnonkk]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32]
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete these files:

C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
C:\WINDOWS\g46183890.exe

If they resist deletion, boot to safe mode and delete from there.

---------------------------------------------------------------------------------------------

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINDOWS\system32\alt.exe

  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.


---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2007, 05:14 AM   #8 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi Tetonbob,

Despite the fact I followed your (very clear) instructions to switch off the scanners and windows guards, they (automatically?) switched on after Combofix did it's thing.

I have not re-set anything manually from your previous instructions.

Should I go through your previous instructions regarding switching things off (not the tests, of course) after boot-up but before the sequence starting Regedit4 or have you put them in a 'safe' state for these new instructions?
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2007, 08:47 AM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Ah, thanks for asking Big Paul -

They are all in the startup group, so they load automatically upon reboot.

Yes, please do disable them once again, as the regfix may be prevented. Also be aware you may be notified of a registry change when they become active again. Check the details if provided, and allow.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2007, 01:19 PM   #10 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi Tetonbob,

Phew!
Above steps turned off all scanners etc.
"delete.reg" worked.
ypwfkzup.exe and g46183890.exe were there (and did delete). I have emptied the trashcan.
Virustotal ran (results below)
Kaspersky did run, the ActiveX part downloaded then it stopped. No Internet connections LEDs flashing, 7M file not downloaded (I think) no Next button to press. (NB I switched to IE to run that)

Complete scanning result of "alt.exe", received in VirusTotal at 06.14.2007, 20:55:39 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.14.2007 no virus found
AntiVir 7.4.0.32 06.14.2007 TR/Small.DBY.DB
Authentium 4.93.8 06.14.2007 W32/Worm.ASO
Avast 4.7.997.0 06.14.2007 no virus found
AVG 7.5.0.467 06.14.2007 no virus found
BitDefender 7.2 06.14.2007 Trojan.Peed.HVH.Gen
CAT-QuickHeal 9.00 06.14.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.14.2007 Trojan.Small-2478
DrWeb 4.33 06.14.2007 Trojan.Packed.135
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3718 06.14.2007 Win32/Sintun
Ewido 4.0 06.14.2007 no virus found
FileAdvisor 1 06.14.2007 no virus found
Fortinet 2.85.0.0 06.14.2007 W32/Tibs.Y!tr
F-Prot 4.3.2.48 06.14.2007 W32/Worm.ASO
F-Secure 6.70.13030.0 06.14.2007 Packed.Win32.Tibs.y
Ikarus T3.1.1.8 06.14.2007 Packed.Win32.Tibs.y
Kaspersky 4.0.2.24 06.14.2007 Packed.Win32.Tibs.y
McAfee 5053 06.14.2007 no virus found
Microsoft 1.2503 06.14.2007 no virus found
NOD32v2 2329 06.14.2007 no virus found
Norman 5.80.02 06.14.2007 Tibs.gen108
Panda 9.0.0.4 06.14.2007 Adware/Adsmart
Prevx1 V2 06.14.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.14.2007 Trojan.Peed.HVH.Gen
Symantec 10 06.14.2007 Trojan.Packed.13
TheHacker 6.1.6.133 06.14.2007 Trojan/Tibs.y
VBA32 3.12.0.1 06.13.2007 Trojan.Packed.135
VirusBuster 4.3.23:9 06.14.2007 Trojan.Tibs.Gen!Pac.126
Webwasher-Gateway 6.0.1 06.14.2007 Trojan.Small.DBY.DB
Aditional Information
File size: 134380 bytes
MD5: c04892e3c2df3dfd119389536f7d8289
SHA1: 33b3cfe0df54b667fd3daaa2916d9fdae55c7a4b

<scary!>

Logfile of HijackThis v1.99.1
Scan saved at 20:13:16, on 14/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\SUPERPEN\PenCmder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://by112fd.bay112.hotmail.msn.co...-0000-0000-000

000000001&a=858d1f2f4b433d6254e03f66e0ba9d24cf6d0f2805e29e9feaeb4589d1973a51&curmbox=00000000-0000-0000-0000-000000000001&a=858d1f2f4b433d6254e03f66e

0ba9d24cf6d0f2805e29e9feaeb4589d1973a51 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [YeppStudioAgent] "C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eBayToolbar] "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PenCommander] C:\SUPERPEN\PenCmder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Quintura - C:\Program Files\Quintura Inc\Quintura Search\Quintura.htm.ie
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager

6\Mm6InternetExplorer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Quintura Search - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra 'Tools' menuitem: Quintura - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...?1135723058937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2007, 09:12 PM   #11 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Hi BigPaul -

Let's get rid of that file, if you have not already.
  • Double click on HijackThis.exe to run it.
  • Click on Open the Misc Tools section
  • click the button labelled "Delete A File on Reboot..."
  • In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINDOWS\system32\alt.exe
  • When you have selected the file, Click the "Open" Button
  • Click yes at the next prompt and your system will reboot.

---------------------------------------------------------------------------------------------

Let's work around the ActiveX issue by using this onboard scanner:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2007, 03:56 AM   #12 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi Tetonob,

C:\WINDOWS\system32\alt.exe is history. Auto-boot-up generated this error;

ATI Video Bios Poller: Ati2evxx.exe application error. The instruction at "0x7c93426d" referenced memory at "0x575c3a43". The memory could not be "read"

Could not OK it, or close it. Could not three-finger reset. Had to hard re-set. Following hard reset system booted. (I'm assuming these files we delete are gone forever, I don't need to check that they have been recreated?)

Dr.Web CureIt.
Short scan ~ no virus found.
Drive scan ~ only have a C:\ drive, took ages, several virus found
NB: I have not (yet) deleted them from the quarantine as I don't know if you want that)

Are we winning? :-) (NB thanks for all your help, this is all way beyond my own capabilites)

Dr.Web CureIt log

alt.exe.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Packed.135;Deleted.;
oovghllo.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0017722.exe;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP18;Trojan.Packed.135;Deleted.;
A0017725.dll;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP18;Trojan.Virtumod;Deleted.;
A0017926.exe;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP19;Trojan.Packed.135;Deleted.;
A0001245.exe;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.Packed.135;Deleted.;
A0001252.dll;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.PWS.Tanspy;Deleted.;
A0001253.sys;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.Spambot;Deleted.;
A0002227.dll;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.Mezzia;Deleted.;
A0002229.exe;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.DownLoader.23066;Deleted.;
A0002230.exe;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.Sklog;Deleted.;
A0004227.sys;C:\System Volume Information\_restore{0DB41D66-186D-4058-9A6D-1F85DF7005E6}\RP8;Trojan.Spambot;Deleted.;



Deckard's System Scanner v20070611.50
Run by Paul on 2007-06-15 at 10:48:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2007-06-15 09:48:32 UTC - RP20 - Deckard's System Scanner Restore Point
19: 2007-06-13 22:41:08 UTC - RP19 - Software Distribution Service 3.0
18: 2007-06-12 23:19:18 UTC - RP18 - Software Distribution Service 3.0
17: 2007-06-11 20:10:05 UTC - RP17 - System Checkpoint
16: 2007-06-09 17:28:33 UTC - RP16 - System Checkpoint


-- First Restore Point --
1: 2007-06-01 12:15:44 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Paul.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:49:27, on 15/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\SUPERPEN\PenCmder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Documents and Settings\Paul\Desktop\dss.exe
C:\Hijack\Paul.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by112fd.bay112.hotmail.msn.co...eb4589d1973a51 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [YeppStudioAgent] "C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eBayToolbar] "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PenCommander] C:\SUPERPEN\PenCmder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Quintura - C:\Program Files\Quintura Inc\Quintura Search\Quintura.htm.ie
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Quintura Search - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra 'Tools' menuitem: Quintura - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135723058937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R2 MaVctrl - c:\windows\system32\drivers\mavc2k.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
R3 ZSMC303 (VIMICRO USB PC Camera (ZC0301PLH)) - c:\windows\system32\drivers\usbvm303.sys <Not Verified; VM; >

S2 windev-78d-7bf8 - c:\windows\system32\windev-78d-7bf8.sys (file missing)
S3 TPP200 (USB Storage Adapter V2 (TPP)) - c:\windows\system32\drivers\tpp200.sys <Not Verified; Cypress Semiconductor; TPP Storage Adapter>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/XP>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CachemanXPService (CachemanXP) - c:\progra~1\cachem~1\cachemanxp.exe <Not Verified; Outertech; >
R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter>
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 st330service (SpeedTouch 330 Manager) - c:\program files/thomson speedtouch/st330/service/st330service.exe -service <Not Verified; THOMSON Telecom Belgium; Host Service>


-- Scheduled Tasks -------------------------------------------------------------

2007-06-15 10:40:48 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-05-15 and 2007-06-15 -----------------------------

2007-06-15 09:16:47 0 d-------- C:\Documents and Settings\Paul\DoctorWeb
2007-06-06 23:56:47 327680 --a------ C:\WINDOWS\system32\DartZip.dll <Not Verified; Dart Communications; PowerTCP© Tools>
2007-06-06 23:56:47 221184 --a------ C:\WINDOWS\system32\DartSock.dll <Not Verified; Dart Communications; PowerTCP© Tools>
2007-06-06 23:56:47 196608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll <Not Verified; Dart Communications; PowerTCP© Tools>
2007-06-06 23:56:47 196608 --a------ C:\WINDOWS\system32\DartSecure2.dll <Not Verified; Dart Communications; PowerTCP© Tools>
2007-06-06 23:56:47 196608 --a------ C:\WINDOWS\system32\DartFtp.dll <Not Verified; Dart Communications; PowerTCP© Tools>
2007-06-06 23:56:47 155648 --a------ C:\WINDOWS\system32\DartCertificate.dll <Not Verified; Dart Communications; PowerTCP© Tools>
2007-06-06 23:56:46 287504 --a------ C:\WINDOWS\system32\MSXBSE.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-06-06 23:56:46 252176 --a------ C:\WINDOWS\system32\MSRD2X35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-06-06 23:56:45 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2007-06-06 23:56:45 24848 --a------ C:\WINDOWS\system32\MSJTER35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-06-06 23:56:45 123664 --a------ C:\WINDOWS\system32\MSJINT35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-06-06 23:56:45 1046288 --a------ C:\WINDOWS\system32\msjet35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-06-06 23:56:45 0 d-------- C:\Program Files\SOFTplus
2007-06-03 20:28:21 0 d-------- C:\Hijack
2007-06-01 22:52:59 77312 --a------ C:\WINDOWS\ua2.dll
2007-06-01 22:13:44 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-01 21:09:20 0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-06-01 21:08:49 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-06-01 21:08:49 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-06-01 19:27:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-06-01 19:27:41 0 d-------- C:\Program Files\Webroot
2007-06-01 19:27:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-06-01 19:25:14 0 d-------- C:\Documents and Settings\Paul\Application Data\Webroot
2007-06-01 14:17:13 164 --a------ C:\install.dat
2007-06-01 14:12:22 0 d-------- C:\Documents and Settings\Paul\Application Data\GetRightToGo
2007-06-01 14:07:06 0 d-------- C:\Program Files\Common Files\eAcceleration
2007-06-01 13:49:31 0 d-------- C:\Program Files\MSXML 6.0
2007-06-01 13:48:34 0 d-------- C:\Program Files\MSBuild
2007-06-01 13:43:49 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-06-01 13:43:10 0 d-------- C:\Program Files\Reference Assemblies
2007-06-01 13:42:03 0 d-------- C:\79a6804fc203ec0d9a6c
2007-06-01 13:33:43 0 d-------- C:\Program Files\Messenger
2007-06-01 13:10:43 0 d-------- C:\Program Files\Windows Defender
2007-06-01 13:01:27 0 d-------- C:\Program Files\Windows Live Safety Center
2007-06-01 10:40:02 204288 --a------ C:\WINDOWS\system32\pmtf3.dll
2007-06-01 10:40:02 353280 --a------ C:\WINDOWS\system32\pmtf2.dll
2007-06-01 10:40:02 205824 --a------ C:\WINDOWS\system32\pmtf1.dll
2007-06-01 10:40:02 216064 --a------ C:\WINDOWS\system32\pmjp.dll
2007-06-01 10:40:02 53248 --a------ C:\WINDOWS\system32\pmexr.dll
2007-06-01 10:40:02 11776 --a------ C:\WINDOWS\system32\pmbm.dll
2007-06-01 10:40:02 112128 --a------ C:\WINDOWS\system32\PhotomatixLib3.dll
2007-06-01 10:40:02 229376 --a------ C:\WINDOWS\system32\PhotomatixLib2.dll
2007-06-01 10:40:02 271872 --a------ C:\WINDOWS\system32\PhotomatixLib.dll
2007-06-01 10:40:02 274432 --a------ C:\WINDOWS\system32\lcms.dll <Not Verified; Marti Maria; LittleCMS color engine>
2007-06-01 10:40:02 782336 --a------ C:\WINDOWS\system32\IlmImf.dll
2007-06-01 10:40:02 0 d-------- C:\Program Files\Photomatix
2007-05-31 23:38:08 0 dr-h----- C:\Documents and Settings\Paul\Recent
2007-05-27 10:57:30 2 --a------ C:\-401706650
2007-05-24 19:50:40 0 d-------- C:\Program Files\CachemanXP
2007-05-16 00:27:27 0 d-------- C:\Program Files\DxO Labs


-- Find3M Report ---------------------------------------------------------------

2007-06-10 18:32:59 0 d-------- C:\Program Files\Lx_cats
2007-06-10 18:19:03 0 d-------- C:\Program Files\Avery Wizard
2007-05-28 00:35:04 0 d-------- C:\Documents and Settings\Paul\Application Data\ZipGenius
2007-05-27 23:51:36 0 d-------- C:\Documents and Settings\Paul\Application Data\Skype
2007-05-12 00:49:30 0 d-------- C:\Program Files\Java
2007-05-09 20:12:24 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 11:18:22 0 d-------- C:\Program Files\WinHTTrack
2007-04-27 11:49:10 0 d-------- C:\Program Files\Alchemy Mindworks
2007-04-22 10:14:06 0 d-------- C:\Documents and Settings\Paul\Application Data\AdobeUM
2007-04-20 13:38:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-20 11:51:59 0 d-------- C:\Program Files\Symantec
2007-04-09 13:38:42 858 --a------ C:\Documents and Settings\Paul\Application Data\.googlewebacchosts
2007-03-22 20:25:02 124928 -----n--- C:\WINDOWS\system32\prntvpt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{22D8E815-4A5E-4DFB-845E-AAB64207F5BD} C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{69A87B7D-DE56-4136-9655-716BA50C19C7} C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
{AC41D38F-B56D-40AD-94E0-B493D130C959} C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"Run StartupMonitor"="StartupMonitor.exe"
"YeppStudioAgent"="\"C:\\Program Files\\Samsung\\Samsung Media Studio\\SamsungMediaStudioAgent.exe\""
"WService"="WService.EXE"
"diagnostics"="\"C:\\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe\" /icon -l:en"
"MOD"="\"C:\\Program Files\\Microangelo\\muamgr.exe\""
"Picasa Media Detector"="\"C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eBayToolbar"="\"C:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PenCommander"="C:\\SUPERPEN\\PenCmder.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"WMPNSCFG"="\"C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe\""
"Gadwin PrintScreen 3.5"="\"C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe\" /nosplash"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"WizmaxBackup_NoDriveTypeAutoRun"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"WizmaxBackup_NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-06-15 at 10:49:54 ---------
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2007, 03:58 AM   #13 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
extra.txt attached
Attached Files
File Type: txt extra.txt (17.5 KB, 1 views)
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2007, 08:58 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Hi BigPaul -

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 3

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) SE Runtime Environment 6 Update 1 alone, as it is the most recent for version.

---------------------------------------------------------------------------------------------

Those files DrWeb found were deleted outright, no backup, according to the log. And that's fine.

We're definitely winning, but I see one more issue.

Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:
c:\windows\system32\windev-78d-7bf8.sys
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

---------------------------------------------------------------------------------------------

Please download System Repair Engineer. Use either of the Local Download buttons to download sreng2.zip

1. Extract it to it's own folder on your Desktop, then double click SREng.exe to run it.

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it. You will have to rename SREngLOG.log to SREngLOG.txt to upload it.

---------------------------------------------------------------------------------------------

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop and double-click gmer.exe

Run the program and select the Rootkit tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button , Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2007, 12:55 PM   #15 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Phew tetombob, you don't mess about do you! I have never installed so many spyware programs in my life!

J2SE Runtime Environment 5.0 Update 3 is history

Suspicious File Packer cab archive sent off as requested
SREngLOG.txt and
GMER.txt attached, as requested
Attached Files
File Type: txt SREngLOG.txt (27.5 KB, 1 views)
File Type: txt GMER.txt (59.3 KB, 1 views)
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2007, 08:29 PM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Hi BigPaul -

Well, since you seem to have been having issue when running ComboFix, I'm looking at other tool logs to see if there's anything which might be affecting it, but I'd like to try ComboFix once more.

Please disable all your anti-spyware apps again.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\windev-78d-7bf8.sys

Driver::
windev-78d-7bf8
Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2007, 08:13 AM   #17 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
OK, I did that. Dragged the txt file onto the icon, and nothing happened. Waited 15 minutes (in case something was running in the background) then did a three finger salute. ComboFix DOS box popped up and started running. Let it do its thing, which included rebooting.

2x error messages, Windows security alert, Firewall blocked, ActiveSync RAPI Manager trying to access the Internet. I clicked the "Not allow" button. Then Windows Messenger trying to connect. I also said No for now.

Sometings trying to change IEpage from www.google.com to http://www.microsoft.com/sapi/redir....=iear=iesearch
I said nope and it reset to google, then it tried to set to a blank page (No) and finally to a null page (No again).

There's a combo fixed txt file and a ComboFix-quarantined-files.txt dated 13th.
Both copied below.

ComboFix 07-06-13.3 - C:\Documents and Settings\Paul\Desktop\ComboFix.exe
"Paul" - 2007-06-16 14:58:14 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Paul\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINDEV-78D-7BF8
-------\windev-78d-7bf8


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-15 10:48 <DIR> d-------- C:\Deckard
2007-06-15 09:16 <DIR> d-------- C:\DOCUME~1\Paul\DoctorWeb
2007-06-11 20:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 23:56 89,360 --a------ C:\WINDOWS\system32\Vb5db.dll
2007-06-06 23:56 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-06-06 23:56 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2007-06-06 23:56 316,344 --a------ C:\WINDOWS\system32\TDBGPP.DLL
2007-06-06 23:56 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2007-06-06 23:56 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2007-06-06 23:56 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.dll
2007-06-06 23:56 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-06-06 23:56 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2007-06-06 23:56 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2007-06-06 23:56 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2007-06-06 23:56 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2007-06-06 23:56 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2007-06-06 23:56 123,664 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-06-06 23:56 1,046,288 --a------ C:\WINDOWS\system32\msjet35.dll
2007-06-06 23:56 <DIR> d-------- C:\Program Files\SOFTplus
2007-06-03 20:28 <DIR> d-------- C:\Hijack
2007-06-01 22:52 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-01 22:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-01 19:27 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-01 19:27 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-01 19:27 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-06-01 19:27 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-01 19:27 <DIR> d-------- C:\Program Files\Webroot
2007-06-01 19:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-06-01 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-01 19:25 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\Webroot
2007-06-01 14:17 164 --a------ C:\install.dat
2007-06-01 14:12 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\GetRightToGo
2007-06-01 14:07 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2007-06-01 13:49 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-01 13:48 <DIR> d-------- C:\Program Files\MSBuild
2007-06-01 13:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-06-01 13:43 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-06-01 13:42 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-01 13:42 <DIR> d-------- C:\79a6804fc203ec0d9a6c
2007-06-01 13:33 <DIR> d-------- C:\Program Files\Messenger
2007-06-01 13:24 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-06-01 13:24 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-06-01 13:24 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-06-01 13:10 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-01 13:01 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-06-01 10:40 782,336 --a------ C:\WINDOWS\system32\IlmImf.dll
2007-06-01 10:40 53,248 --a------ C:\WINDOWS\system32\pmexr.dll
2007-06-01 10:40 353,280 --a------ C:\WINDOWS\system32\pmtf2.dll
2007-06-01 10:40 274,432 --a------ C:\WINDOWS\system32\lcms.dll
2007-06-01 10:40 271,872 --a------ C:\WINDOWS\system32\PhotomatixLib.dll
2007-06-01 10:40 229,376 --a------ C:\WINDOWS\system32\PhotomatixLib2.dll
2007-06-01 10:40 216,064 --a------ C:\WINDOWS\system32\pmjp.dll
2007-06-01 10:40 205,824 --a------ C:\WINDOWS\system32\pmtf1.dll
2007-06-01 10:40 204,288 --a------ C:\WINDOWS\system32\pmtf3.dll
2007-06-01 10:40 112,128 --a------ C:\WINDOWS\system32\PhotomatixLib3.dll
2007-06-01 10:40 11,776 --a------ C:\WINDOWS\system32\pmbm.dll
2007-06-01 10:40 <DIR> d-------- C:\Program Files\Photomatix
2007-05-24 19:50 <DIR> d-------- C:\Program Files\CachemanXP
2007-05-16 00:27 <DIR> d-------- C:\Program Files\DxO Labs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-15 18:22:36 -------- d-----w C:\Program Files\Lx_cats
2007-06-15 13:37:05 -------- d-----w C:\Program Files\Avery Wizard
2007-05-27 23:35:04 -------- d-----w C:\DOCUME~1\Paul\APPLIC~1\ZipGenius
2007-05-27 22:51:36 -------- d-----w C:\DOCUME~1\Paul\APPLIC~1\Skype
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 19:12:24 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 10:18:22 -------- d-----w C:\Program Files\WinHTTrack
2007-04-27 10:49:10 -------- d-----w C:\Program Files\Alchemy Mindworks
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-22 09:14:06 -------- d-----w C:\DOCUME~1\Paul\APPLIC~1\AdobeUM
2007-04-20 12:38:20 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-20 10:51:59 -------- d-----w C:\Program Files\Symantec
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-12-07 15:06]
{22D8E815-4A5E-4DFB-845E-AAB64207F5BD}=C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll [2007-05-04 09:17]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-03 00:24]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{69A87B7D-DE56-4136-9655-716BA50C19C7}=C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll [2007-03-29 21:34]
{AC41D38F-B56D-40AD-94E0-B493D130C959}=C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll [2005-09-13 03:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 12:02]
"Run StartupMonitor"="StartupMonitor.exe" []
"YeppStudioAgent"="C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe" [2005-09-12 15:21]
"WService"="WService.EXE" [2002-09-07 19:23 C:\WINDOWS\system32\WService.exe]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2006-02-07 21:54]
"MOD"="C:\Program Files\Microangelo\muamgr.exe" [2004-07-27 11:22]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-01 03:52]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\ALCMTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-22 19:11]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2007-05-04 09:17]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PenCommander"="C:\SUPERPEN\PenCmder.exe" [2002-10-18 04:31]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-09-10 21:46]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 09:57]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2003-04-14 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-16 13:53:15 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 15:01:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-16 15:02:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-16 15:02
C:\ComboFix2.txt ... 2007-06-13 23:25

--- E O F ---


Code:
2007-06-01 11:02      102    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir
2007-06-01 11:02      4    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir
2007-06-01 14:18      2    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wnsapiisv.exe.vir
2007-06-01 19:30      215    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-01 21:09      13029    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.ini.vir
2007-06-16 14:59      1304    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDEV-78D-7BF8.reg.cf
2007-06-16 14:59      2728    --a------    C:\Qoobox\Quarantine\Registry_backups\services_windev-78d-7bf8.reg.cf


Folder PATH listing for volume C_drive
Volume serial number is E80E-7166
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       |   wr.txt.vir
    |       |   
    |       \---system32
    |               svcp.csv.vir
    |               wincom32.ini.vir
    |               winsub.xml.vir
    |               wnsapiisv.exe.vir
    |               
    \---Registry_backups
            LEGACY_WINDEV-78D-7BF8.reg.cf
            services_windev-78d-7bf8.reg.cf
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2007, 08:33 AM   #18 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Well done. Your logs appear clean.You should be good to go. We still have a few items to address.

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

Please also delete ComboFix.exe

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear & Reset System Restore's Cache
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK


Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".




In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2007, 04:05 PM   #19 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 13
OS: Win XP


Re: Infestation, mostly cleared?
Hi tetonbob,

Phew ~ thanks a lot ~ I don't know if there is a rating system for help but you get five stars from me. Every time I switched on the computer there was more help ~ fantastic!

Your links are to comprehensive pages, I will read them and apply their recommendations.

I've done the above ~ a couple of lame questions then I'm done :-) ;

Cureit.exe, dss.exe, spf.exe. sreng, gmer and their generated files are all on the desktop ~ just delete them?

I have an external hard drive I use for backup ~ I guess its safer to reformat that and start again? (I like to have my data, especially pictures, in two places but now I have a complete 'good' set on my computer that should be my only copy? It has not been plugged in since we started this clean up.

I have a 1G memory stick that I use for transfer between my laptop and main computer. That has data and programs on it that I would really like to keep if possible. Which, of the plethora of tests you had me do will tell me if the stick is safe? It has not been plugged in since we started this clean up.

Finally ditto above to check my laptop ~ I would hate to transfer a virus back from my laptop :-(

Thanks again for all your help, I would have ended up reformatting my hard disc but for you, I was loosing the will to keep deleting the beggars!

Big regards, Paul
BigPaul is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2007, 08:02 PM   #20 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,677
OS: 2000 Pro; XP Pro; XP Home


Re: Infestation, mostly cleared?
Quote:
Originally Posted by BigPaul View Post
Hi tetonbob,

Phew ~ thanks a lot ~ I don't know if there is a rating system for help but you get five stars from me. Every time I switched on the computer there was more help ~ fantastic!

Your links are to comprehensive pages, I will read them and apply their recommendations.

I've done the above ~ a couple of lame questions then I'm done :-) ;

Cureit.exe, dss.exe, spf.exe. sreng, gmer and their generated files are all on the desktop ~ just delete them?

Once we're done, yes.

I have an external hard drive I use for backup ~ I guess its safer to reformat that and start again? (I like to have my data, especially pictures, in two places but now I have a complete 'good' set on my computer that should be my only copy? It has not been plugged in since we started this clean up.

Probably the fastest solution.

I have a 1G memory stick that I use for transfer between my laptop and main computer. That has data and programs on it that I would really like to keep if possible. Which, of the plethora of tests you had me do will tell me if the stick is safe? It has not been plugged in since we started this clean up.

Though I can understand why you'd not have it plugged in during the fix, if it had been, it would already have been scanned.

If you suspect that it's been compromised, plug it in and run ComboFix again (after unplugging from the internet, and disabling all Anti-Spy/AV protections, including Prevx), and please....let it run, do not interfere with it by using Task manager, some systems, it just takes longer....

also run a Kaspersky scan....though instead of running a full system scan this time, target only the drive letter of your stick. You can do this by going through the previous instructions, but instead of selecting My Computer, select Folders, then check the drive letter of your stick and Click on Scan in the new window which opens.

Post those logs for review.

Finally ditto above to check my laptop ~ I would hate to transfer a virus back from my laptop :-(

Create a new thread for this next machine....I'll be on vacation shortly, and may not have time to be of service.

Thanks again for all your help, I would have ended up reformatting my hard disc but for you, I was loosing the will to keep deleting the beggars!

Big regards, Paul
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:24 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85