possible blaster worm infection, PC auto-shutsdown

[georgie83]

Hi, just posting again to talk about a specific problem:

I have an office computer, an HP 7540 that runs on windows XP. My officemate and I downloaded an FLV converter to convert some video files from youtube to video for use in a presentation. When we realized the converter had to be registered we had to uninstall it (using the add/remove programs on control panel). After the uninstallation that's when the problems occured.

1. My PC suddenly shuts down for no reason.
2. It displays a message about shutting down unexpectedly and has a timer but it's so fast (like about 1 second) that I didn't get to read what was written.

I researched around and found similar things happening to people with the blaster worm. I disconnected my PC from the internet before restarting and sure enough, it didn't shut down automatically. If I connect it again after restarting nothing happens fortunately so I can use the PC.

I've tried doing the 5 steps but I can't use an online scanner coz the office blocks updates for some reason. Also, when I use the Deckard System Scanner, when it comes to checking the registry, the PC initiates the shutdown process I mentioned above. The only way I can check is by HJT. So here's a log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:44 PM, on 2008-02-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\bar311.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Internet Exp1orer\IEXPLORE.EXE
C:\Program Files\RealPopup\RealPopup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abs*abs-cbn.com;*.kapamilya.net;*.freequncy.com;<local>
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
F2 - REG:system.ini: UserInit=userinit.exe,bar311.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Policies\Explorer\Run: [IEXPLORE.EXE] C:\Program Files\Internet Exp1orer\IEXPLORE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191927281950
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abs-cbn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = abs-cbn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = abs-cbn.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\progra~1\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8544 bytes

hope this helps. Thanks in advance!

[Pancake]

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


F2 - REG:system.ini: UserInit=userinit.exe,bar311.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot...

============================


Please download SDFix from here and save it to your desktop


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.


Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post that log in your next reply.


=========================================


Download Combofix from any of the links below, and save it to your desktop. For further information regarding this download you can see this on this Information Page

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

[georgie83]

hi and thanks for the replY!

I've done as you asked and fixed some of the entries found by HJT. However I did not see the entry with the bar311.exe, but I did find the others and I fixed them as you said.

I have downloaded SDFix and installed it. Unfortunately when I go to safe mode, I cannot log in to my account, even if I input the correct password and username. Maybe it's because of my PC being controlled by the office? Somebody with higher access can access my PC in safe mode.

As it is, I cannot proceed any further since I cannot log in via safe mode, but if you have any other ways around it...

I appreciate you're trying to help out and thanks in advance for any advice you might give to me. :")

[georgie83]

hi and thanks for the replY!

I've done as you asked and fixed some of the entries found by HJT. However I did not see the entry with the bar311.exe, but I did find the others and I fixed them as you said.

I have downloaded SDFix and installed it. Unfortunately when I go to safe mode, I cannot log in to my account, even if I input the correct password and username. Maybe it's because of my PC being controlled by the office? Somebody with higher access can access my PC in safe mode.

As it is, I cannot proceed any further since I cannot log in via safe mode, but if you have any other ways around it...

I appreciate you're trying to help out and thanks in advance for any advice you might give to me. :")

[Pancake]

Are you able to run Combofix.If so,do that.If not,run this:

First off please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt to here.
Please attach extra.txt to your post.
To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do:
Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

[georgie83]

Hi! I've run combofix and it ran smoothly. Here is a combofix log:

ComboFix 08-02-25.3 - ArtEB 2008-02-28 15:58:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 8:00]
Running from: C:\Documents and Settings\ArtEB\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\NT.Config`.exe

----- BITS: Possible infected sites -----

hxxp://ABSSMS01
.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-27 14:20 . 2008-02-27 14:30 <DIR> d-------- C:\Program Files\Miniclip Games
2008-02-27 12:57 . 2008-02-27 12:57 <DIR> d-------- C:\Documents and Settings\ArtEB\Application Data\yoclient
2008-02-27 12:55 . 2008-02-27 14:30 <DIR> d-------- C:\Program Files\Three Rings Design
2008-02-21 17:28 . 2008-02-21 04:39 <DIR> d-------- C:\SDFix
2008-02-20 15:30 . 2008-02-20 15:30 43,072 --ahs---- C:\WINDOWS\msrm.exe
2008-02-20 15:30 . 2008-02-20 15:30 24,576 --ahs---- C:\WINDOWS\sy.exe
2008-02-20 15:30 . 2008-02-20 15:30 6,144 --ahs---- C:\WINDOWS\ldup.exe
2008-02-20 09:24 . 2008-02-21 14:17 <DIR> d-------- C:\Program Files\Mystery Case Files - Madame Fate
2008-02-07 11:59 . 2008-02-07 11:59 <DIR> d-------- C:\Deckard
2008-02-07 11:56 . 2008-02-07 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 19:52 . 2008-02-05 19:52 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-02-05 19:52 . 2008-02-05 19:52 <DIR> d-------- C:\logs
2008-02-05 19:52 . 2008-02-05 19:52 <DIR> d-------- C:\Documents and Settings\ArtEB\ChikkaDefault
2008-02-04 16:33 . 2008-02-04 20:25 <DIR> d-------- C:\Temp
2008-02-04 16:14 . 2008-02-04 16:16 8,128,998 --a------ C:\YouTube_Video_1.flv
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-02-04 14:37 . 2008-02-26 12:37 <DIR> d-------- C:\Documents and Settings\ArtEB\dwhelper
2008-02-04 10:54 . 2008-02-04 10:54 <DIR> d-------- C:\youtubevideo
2008-01-30 10:07 . 2008-01-30 10:07 30 -rahs---- C:\WINDOWS\pc-off.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 05:45 --------- d-----w C:\Program Files\Teddy Factory
2008-02-28 04:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-22 12:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-04 02:54 --------- d-----w C:\Program Files\Total Video Converter
2008-02-04 00:57 --------- d-----w C:\Program Files\Yahoo!
2008-01-31 02:52 --------- d-----w C:\Program Files\Mystery Case Files Ravenhearst
2008-01-29 11:22 --------- d-----w C:\Program Files\Mystery Case Files Prime Suspects
2008-01-24 04:49 --------- d-sh--w C:\Program Files\Internet Exp1orer
2008-01-24 04:47 --------- d-sh--w C:\Program Files\Internet Explore
2008-01-23 11:04 --------- d-----w C:\Program Files\Diner Dash
2008-01-21 08:41 --------- d-----w C:\Program Files\bfgclient
2008-01-21 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-01-18 18:08 --------- d-----w C:\Program Files\MSECache
2008-01-17 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 14:28 --------- d-----w C:\Program Files\Avid
2008-01-17 14:22 --------- d-----w C:\Program Files\Common Files\Digidesign
2008-01-17 14:21 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 14:18 --------- d-----w C:\Program Files\system
2008-01-11 07:52 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-28 05:59 --------- d-----w C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-10-03 02:36 16,896 --sha-w C:\WINDOWS\infrom.dat
2007-11-21 05:27 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 23:56 24,576 --sha-r C:\WINDOWS\system\dllhost\smss.exe
2007-10-03 02:36 6,144 --sha-w C:\WINDOWS\system32\ccPrxy.exe
2004-08-03 23:56 24,576 --sha-r C:\WINDOWS\system32\userinit.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [2005-02-24 00:50 237568]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-02-18 22:41 1694208]
"Yahoo! Pager"="~C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-29 06:10 224248]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-10-14 18:09 103712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 09:08 143360]
"bacstray"="C:\Program Files\Broadcom\BACS\bacstray.exe" [2004-04-20 12:05 118784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 23:52 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 23:48 118784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-10-14 18:09 103712]
"Yahoo Messenger"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-10-03 03:42:52 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"disablelocalmachinerun"= 1 (0x1)
"disablelocalmachinerunonce"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"IEXPLORE.EXE"= C:\Program Files\Internet Exp1orer\IEXPLORE.EXE

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"= 0 (0x0)
"NoRun"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= 10.0.0.0/255.0.0.0
"Enabled"= 1 (0x1)

R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 02:50]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\progra~1\oracle\ora81\BIN\ONRSD.EXE [2000-10-19 11:55]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 02:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a9d25b5-723f-11dc-8081-0013215e0087}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fd62ecb-c243-11dc-80ec-0013215e0087}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cdae826-e052-11dc-8119-0013215e0087}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{601dcd22-721d-11dc-8080-0013215e0087}]
\Shell\Autoplay\Command - E:\winwords.exe
\Shell\AutoRun\command - E:\
\Shell\explore\Command - E:\winwords.exe
\Shell\open\Command - E:\winwords.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d5f10c-9d96-11dc-80ba-0013215e0087}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d5f10d-9d96-11dc-80ba-0013215e0087}]
\Shell\Autoplay\Command - winwords.exe
\Shell\AutoRun\command - E:\
\Shell\explore\Command - winwords.exe
\Shell\open\Command - winwords.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0b3b60e-b523-11dc-80da-0013215e0087}]
\Shell\Autoplay\Command - E:\winwords.exe
\Shell\AutoRun\command - E:\
\Shell\explore\Command - E:\winwords.exe
\Shell\open\Command - E:\winwords.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdf842c1-be89-11dc-80e3-0013215e0087}]
\Shell\AutoRun\command - E:\bar311.exe %1
\Shell\Explore\command - E:\bar311.exe %1
\Shell\Open\command - E:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dffb2108-b9a3-11dc-80de-0013215e0087}]
\Shell\0pen\command - E:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e84b7e37-c896-11dc-80f1-0013215e0087}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 02:58:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 07:00:07 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 16:01:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-28 16:01:38
ComboFix-quarantined-files.txt 2008-02-28 08:01:36
ComboFix2.txt 2008-01-10 12:36:41


NOTE: HJT log to follow in the next post

[georgie83]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03, on 2008-02-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Internet Exp1orer\IEXPLORE.EXE
C:\Program Files\RealPopup\RealPopup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abs*abs-cbn.com;*.kapamilya.net;*.freequncy.com;<local>
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Policies\Explorer\Run: [IEXPLORE.EXE] C:\Program Files\Internet Exp1orer\IEXPLORE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191927281950
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abs-cbn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = abs-cbn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = abs-cbn.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\progra~1\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8242 bytes

[Pancake]

Just the one to fix and you are done..


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

Killall::

File::
C:\WINDOWS\imsins.BAK

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

[georgie83]

hello! SOrry for the delay. Here is the new combofix report:

ComboFix 08-02-25.3 - ArtEB 2008-03-04 16:51:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.242 [GMT 8:00]
Running from: C:\Documents and Settings\ArtEB\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ArtEB\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-02-29 14:28 . 2008-02-29 14:28 <DIR> d-------- C:\Program Files\iPod
2008-02-29 14:27 . 2008-02-29 14:30 <DIR> d-------- C:\Program Files\iTunes
2008-02-29 14:25 . 2008-02-29 14:26 <DIR> d-------- C:\Program Files\QuickTime
2008-02-29 14:25 . 2008-02-29 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-27 14:20 . 2008-02-27 14:30 <DIR> d-------- C:\Program Files\Miniclip Games
2008-02-27 12:57 . 2008-02-27 12:57 <DIR> d-------- C:\Documents and Settings\ArtEB\Application Data\yoclient
2008-02-27 12:55 . 2008-02-27 14:30 <DIR> d-------- C:\Program Files\Three Rings Design
2008-02-21 17:28 . 2008-02-21 04:39 <DIR> d-------- C:\SDFix
2008-02-20 15:30 . 2008-02-20 15:30 43,072 --ahs---- C:\WINDOWS\msrm.exe
2008-02-20 15:30 . 2008-02-20 15:30 24,576 --ahs---- C:\WINDOWS\sy.exe
2008-02-20 15:30 . 2008-02-20 15:30 6,144 --ahs---- C:\WINDOWS\ldup.exe
2008-02-20 09:24 . 2008-02-21 14:17 <DIR> d-------- C:\Program Files\Mystery Case Files - Madame Fate
2008-02-07 11:59 . 2008-02-07 11:59 <DIR> d-------- C:\Deckard
2008-02-07 11:56 . 2008-02-07 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 19:52 . 2008-02-05 19:52 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-02-05 19:52 . 2008-02-05 19:52 <DIR> d-------- C:\logs
2008-02-05 19:52 . 2008-02-05 19:52 <DIR> d-------- C:\Documents and Settings\ArtEB\ChikkaDefault
2008-02-04 16:33 . 2008-02-04 20:25 <DIR> d-------- C:\Temp
2008-02-04 16:14 . 2008-02-04 16:16 8,128,998 --a------ C:\YouTube_Video_1.flv
2008-02-04 16:12 . 2008-02-04 16:12 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-02-04 14:37 . 2008-02-26 12:37 <DIR> d-------- C:\Documents and Settings\ArtEB\dwhelper
2008-02-04 10:54 . 2008-02-04 10:54 <DIR> d-------- C:\youtubevideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 08:55 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-29 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-28 05:45 --------- d-----w C:\Program Files\Teddy Factory
2008-02-22 12:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-04 02:54 --------- d-----w C:\Program Files\Total Video Converter
2008-02-04 00:57 --------- d-----w C:\Program Files\Yahoo!
2008-01-31 02:52 --------- d-----w C:\Program Files\Mystery Case Files Ravenhearst
2008-01-29 11:22 --------- d-----w C:\Program Files\Mystery Case Files Prime Suspects
2008-01-24 04:49 --------- d-sh--w C:\Program Files\Internet Exp1orer
2008-01-24 04:47 --------- d-sh--w C:\Program Files\Internet Explore
2008-01-23 11:04 --------- d-----w C:\Program Files\Diner Dash
2008-01-21 08:41 --------- d-----w C:\Program Files\bfgclient
2008-01-21 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-01-18 18:08 --------- d-----w C:\Program Files\MSECache
2008-01-17 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 14:28 --------- d-----w C:\Program Files\Avid
2008-01-17 14:22 --------- d-----w C:\Program Files\Common Files\Digidesign
2008-01-17 14:21 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 14:18 --------- d-----w C:\Program Files\system
2008-01-11 07:52 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-03 02:36 16,896 --sha-w C:\WINDOWS\infrom.dat
2007-11-21 05:27 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 23:56 24,576 --sha-r C:\WINDOWS\system\dllhost\smss.exe
2007-10-03 02:36 6,144 --sha-w C:\WINDOWS\system32\ccPrxy.exe
2004-08-03 23:56 24,576 --sha-r C:\WINDOWS\system32\userinit.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [2005-02-24 00:50 237568]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-02-18 22:41 1694208]
"Yahoo! Pager"="~C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-29 06:10 224248]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-10-14 18:09 103712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 09:08 143360]
"bacstray"="C:\Program Files\Broadcom\BACS\bacstray.exe" [2004-04-20 12:05 118784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 23:52 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 23:48 118784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-10-14 18:09 103712]
"Yahoo Messenger"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-10-03 03:42:52 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"disablelocalmachinerun"= 1 (0x1)
"disablelocalmachinerunonce"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"IEXPLORE.EXE"= C:\Program Files\Internet Exp1orer\IEXPLORE.EXE

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"= 0 (0x0)
"NoRun"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= 10.0.0.0/255.0.0.0
"Enabled"= 1 (0x1)

R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 02:50]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\progra~1\oracle\ora81\BIN\ONRSD.EXE [2000-10-19 11:55]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 02:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a9d25b5-723f-11dc-8081-0013215e0087}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e782327-e6b1-11dc-8120-0013215e0087}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fd62ecb-c243-11dc-80ec-0013215e0087}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cdae826-e052-11dc-8119-0013215e0087}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{601dcd22-721d-11dc-8080-0013215e0087}]
\Shell\Autoplay\Command - E:\winwords.exe
\Shell\AutoRun\command - E:\
\Shell\explore\Command - E:\winwords.exe
\Shell\open\Command - E:\winwords.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d5f10c-9d96-11dc-80ba-0013215e0087}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d5f10d-9d96-11dc-80ba-0013215e0087}]
\Shell\Autoplay\Command - winwords.exe
\Shell\AutoRun\command - E:\
\Shell\explore\Command - winwords.exe
\Shell\open\Command - winwords.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0b3b60e-b523-11dc-80da-0013215e0087}]
\Shell\Autoplay\Command - E:\winwords.exe
\Shell\AutoRun\command - E:\
\Shell\explore\Command - E:\winwords.exe
\Shell\open\Command - E:\winwords.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdf842c1-be89-11dc-80e3-0013215e0087}]
\Shell\AutoRun\command - E:\bar311.exe %1
\Shell\Explore\command - E:\bar311.exe %1
\Shell\Open\command - E:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dffb2108-b9a3-11dc-80de-0013215e0087}]
\Shell\0pen\command - E:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e84b7e37-c896-11dc-80f1-0013215e0087}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 02:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-29 07:00:22 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 16:56:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-04 16:59:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 08:59:02
ComboFix2.txt 2008-02-28 08:01:39
ComboFix3.txt 2008-01-10 12:36:41

Note: HJT log is in the next post

[georgie83]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:02, on 2008-03-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Exp1orer\IEXPLORE.EXE
C:\Program Files\RealPopup\RealPopup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abs*abs-cbn.com;*.kapamilya.net;*.freequncy.com;<local>
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Policies\Explorer\Run: [IEXPLORE.EXE] C:\Program Files\Internet Exp1orer\IEXPLORE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191927281950
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abs-cbn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = abs-cbn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = abs-cbn.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\progra~1\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8453 bytes

[Pancake]

We need to install your Recovery Console first.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System





Download the file & save it as its originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.