Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 05-08-2008, 09:12 AM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
I completed Steps 1 - 5, but couldn't do the Step 2 Panda Scan part, since Avast popped up the following:

File Name: http://acs.pandasoftware.com/actives...cab\pskavs.dll
Malware name: Win32:CTX
Malware type: Virus/Worm
VPS version: 080507-0, 2008/05/0

Problem Discription

The following Trojans keep getting found by avast:

C:\WINDOWS\system32\ahst593.exe\[UPX]
Win32:Lineage-351 [Trj]
C:\WINDOWS\system32\ftpdll.dll
Win32:Small-JMK [Trj]
C:\Documents and Settings\LocalService\cftmon.exe\[UPX]
Win32:Lineage-351 [Trj]
C:\Documents and Settings\LocalService\ftpdll.dll
Win32:Small-JMK [Trj]
etc...

Avast cannot delete them because they are being used by a program I am not sure off, so Avast's description claims. It only keeps popping up if I choose an action that should be done. I run my computer with the warning popup flashing continously, then it seems to be stable.

Also I have Spybot search and destroy installed, and everytime I try and run it to check for problems, my computer freezes and restarts. The same happens if I try to run an AVG Anti-Spyware check.

It seems to be something with Avast, because if I am connected to the internet, the on-access shield Intermail, kept sending out random emails, i disabled it at the moment.

I tried a system restore, but it seems to have deleted all my previous restore points.
Besides this I have a crypt.dll virus, that Avast picks up, that I cannot delete in the registry.

I've seen similar posts, so I hope it shouldn't be a problem, Thanks for your time and patience of reading through my lay description.

Main.txt Contents:

Deckard's System Scanner v20071014.68
Run by User on 2008-05-08 16:42:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 1 Restore Point(s) --
1: 2008-05-08 14:25:52 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.6 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-08 16:44:08
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\User\ie_updates3r.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F6C11B4-1766-4033-90DA-ACBEFFA6BB65} - C:\WINDOWS\system32\cryptsv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [libor] C:\WINDOWS\libor.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [libor] C:\WINDOWS\libor.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 3 Piggs Poker - {4835CF45-71B5-4c6c-BBE0-350DCD75D237} - C:\Program Files\3piggspokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Silver Sands Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} () -
O16 - DPF: {33331111-1111-1111-1111-615111193427} () -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210255876101
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer = 192.168.1.1
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\system32\WinNt32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\User\ie_updates3r.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\system32\ircomm2k.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--
End of file - 10241 bytes

-- HijackThis Fixed Entries (C:\Download\Drivers\backups\) ---------------------

backup-20071122-232305-631 O2 - BHO: (no name) - {5F6C11B4-1766-4033-90DA-ACBEFFA6BB65} - C:\WINDOWS\system32\cryptsv.dll
backup-20071122-232331-735 O2 - BHO: (no name) - {5F6C11B4-1766-4033-90DA-ACBEFFA6BB65} - C:\WINDOWS\system32\cryptsv.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Fhc65 - c:\windows\system32\drivers\fhc65.sys
R0 PSeries - c:\windows\system32\drivers\pseries.sys <Not Verified; Elan Digital Systems Ltd; PSeries>
R0 yimebauz - c:\windows\system32\drivers\xdchxqio.dat
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R3 IrCOMM2k (Virtual IR COM Port) - c:\windows\system32\drivers\ircomm2k.sys <Not Verified; Jan Kiszka; IrCOMM2k>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin>

S0 Lnj53 - c:\windows\system32\drivers\lnj53.sys (file missing)
S2 nvcap (nVidia WDM Video Capture (universal)) - c:\windows\system32\drivers\nvcap.sys (file missing)
S3 KS-959 (Kingsun KS-959 USB Infrared Adapter) - c:\windows\system32\drivers\ks-959.sys <Not Verified; Kingsun Corporation; KSC Infrared Driver.>
S3 SE27bus (Sony Ericsson Device 039 Driver driver (WDM)) - c:\windows\system32\drivers\se27bus.sys <Not Verified; MCCI; Sony Ericsson Device 039 Driver>
S3 SE27mdfl (Sony Ericsson Device 039 USB WMC Modem Filter) - c:\windows\system32\drivers\se27mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Modem Filter Driver>
S3 SE27mdm (Sony Ericsson Device 039 USB WMC Modem Driver) - c:\windows\system32\drivers\se27mdm.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Data Modem>
S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 spfhlp.sys - c:\windows\system32\spfhlp.sys (file missing)
S3 stusb2ir (USB 2.0 IrDA Bridge) - c:\windows\system32\drivers\stusb2ir.sys <Not Verified; SigmaTel, Inc.; SigmaTel USB 2.0 IrDA Bridge>
S3 TSClient (Tatara Protocol Driver) - c:\windows\system32\drivers\tsclient.sys <Not Verified; Tatara Systems, Inc.; Tatara Service Manager>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Google Online Services - c:\documents and settings\user\ie_updates3r.exe -a
R2 IrCOMM2kSvc (Virtual IR COM Port, Service Program) - c:\windows\system32\ircomm2k.exe <Not Verified; Jan Kiszka; IrCOMM2k>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_8139174B&REV_10\4&1C88B56&0&58A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_8139174B&REV_10\4&1C88B56&0&58A4
Service: RTL8023


-- Scheduled Tasks -------------------------------------------------------------

2008-05-08 16:43:44 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-11-15 03:43:35 298 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-08 16:03:15 0 d-------- C:\Program Files\Panda Security
2008-05-08 15:30:53 0 --a------ C:\WINDOWS\system32\ahst469.exe
2008-05-07 21:41:45 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-07 21:41:33 0 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-05-07 21:41:26 0 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-05-07 21:41:26 0 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-05-07 21:41:24 96256 --a------ C:\WINDOWS\system32\ctfmona.exe
2008-05-07 21:41:02 228669 --a------ C:\WINDOWS\system32\ahst550.exe
2008-05-07 21:40:39 58368 --a------ C:\WINDOWS\system32\ahst427.exe
2008-05-07 21:40:32 444416 --a------ C:\autoex.dll
2008-05-07 21:40:09 0 --a------ C:\WINDOWS\system32\ahst592.exe
2008-05-07 21:10:32 0 --a------ C:\WINDOWS\system32\ahst593.exe
2008-05-07 20:54:28 0 d-------- C:\Program Files\Windows Defender
2008-05-07 20:03:55 0 --a------ C:\WINDOWS\system32\ahst532.exe
2008-05-06 03:43:50 0 d-------- C:\Documents and Settings\User\Application Data\WordWeb
2008-05-06 02:24:15 0 d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-05-05 23:57:53 10240 --a------ C:\WINDOWS\win32ole.dll
2008-05-05 23:57:18 0 d-------- C:\Program Files\BraveSentry
2008-05-05 23:57:10 81920 --a------ C:\WINDOWS\system32\maxpaynow1.exe
2008-05-05 23:57:10 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-05 23:57:09 10 --a------ C:\WINDOWS\system32\kr_done1
2008-05-05 23:57:01 55296 --a------ C:\WINDOWS\system32\vedxga3me2.exe
2008-05-05 23:56:56 25084 --a------ C:\WINDOWS\system32\vedxga1me4t1.exe
2008-05-05 23:56:54 25970 --a------ C:\WINDOWS\system32\maxpaynowti1.exe
2008-05-05 23:56:52 1086376 --a------ C:\Documents and Settings\NetworkService\Application Data\Install.dat
2008-05-05 23:56:51 40310 --a------ C:\WINDOWS\xpupdate.exe
2008-05-05 23:56:49 26174 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe
2008-05-05 23:56:48 25738 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe
2008-05-05 23:56:45 25970 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2008-05-05 23:56:44 40310 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe
2008-05-05 23:56:41 24522 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2008-05-05 23:56:40 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-05-05 23:56:35 29136 --a------ C:\WINDOWS\system32\wind32.exe
2008-05-05 23:56:24 29136 --a------ C:\WINDOWS\system32\ahst595.exe
2008-05-05 23:56:15 18432 --a------ C:\WINDOWS\system32\w76b826.exe
2008-05-05 23:56:08 81408 --a------ C:\WINDOWS\system32\ahst472.exe
2008-05-05 23:55:58 14976 --a------ C:\WINDOWS\system32\drivers\Fhc65.sys
2008-05-05 23:55:38 129536 --a------ C:\WINDOWS\libor.exe
2008-05-05 23:55:21 10752 --a------ C:\WINDOWS\system32\ahst534.exe
2008-05-05 23:54:56 5120 --a------ C:\WINDOWS\system32\ahst594.exe
2008-05-05 23:54:38 11776 --a------ C:\WINDOWS\system32\ahst563.exe
2008-05-05 23:47:54 31232 --a------ C:\WINDOWS\system32\crypts.dll
2008-05-05 23:47:47 80384 --a------ C:\WINDOWS\system32\ahst449.exe
2008-05-05 23:47:40 45568 --a------ C:\WINDOWS\system32\~.exe
2008-05-05 23:47:34 3117 --a------ C:\Documents and Settings\User\ie_updates3r.exe
2008-04-29 14:12:26 0 dr-h----- C:\Documents and Settings\User\Recent
2008-04-20 16:11:33 0 d-------- C:\Documents and Settings\User\Application Data\com.zipeg
2008-04-18 18:34:04 0 d-------- C:\temp


-- Find3M Report ---------------------------------------------------------------

2008-05-07 02:17:55 0 d-------- C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-03 19:25:33 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2008-05-03 02:11:37 0 d-------- C:\Program Files\3piggspokerMPP
2008-05-01 15:51:12 0 d-------- C:\Program Files\Winamp
2008-04-18 18:35:20 0 d-------- C:\Program Files\Silver Sands Poker
2008-04-18 18:35:17 0 d-------- C:\Program Files\PartyGaming
2008-04-02 16:01:03 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-04-01 20:36:42 0 d-------- C:\Program Files\Graph


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F6C11B4-1766-4033-90DA-ACBEFFA6BB65}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004/11/16 03:20 AM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005/07/20 03:07 PM]
"NvMediaCenter"="NvMCTray.dll" [2005/07/20 03:07 PM C:\WINDOWS\system32\nvmctray.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004/11/02 08:24 PM]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003/09/11 06:00 AM]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006/06/21 12:59 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007/12/04 03:00 PM]
"nwiz"="nwiz.exe" [2005/07/20 03:07 PM C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003/09/11 06:00 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 02:00 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007/08/31 04:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"libor"=C:\WINDOWS\libor.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe
"Windows update loader"=C:\Windows\xpupdate.exe

C:\Documents and Settings\User\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007/09/23 04:45:53 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007/11/03 05:35:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt32]
WinNt32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fhc65.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lnj53.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Wj\Personal Details\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
"C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouRipper]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BroadWaveService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73ec366a-077e-11dc-9cdf-d3503c328cf9}]
Auto\command- OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7517 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-08 16:49:18 ------------
Attached Files
File Type: txt extra.txt (15.8 KB, 7 views)
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 05-08-2008, 05:57 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello and Welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-08-2008, 08:20 PM   #3 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello skylinker.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Your computer is severely infected. There are at least 10 different identified infections present.

More than one of the infections steal information or log keystrokes. That includes all passwords, logins to forums, your email details & other websites, and most of all your Bank, Credit Card, or Paypal details. If this system is used for web-based email, online banking, or has credit card information on it, all passwords should be changed immediately by using a known, clean computer. Banking and credit card institutions, if any, should be notified of the possible security breech. It also seems to be able to steal all your emails so anything you have emailed to anyone is no longer confidential.

Please read this article. It will help you decide whether you want to attempt to clean your computer or reformat and reinstall Windows.

If you choose to reformat/reinstall, stop here, report back that decision, and I can suggest expert help in our Windows XP Support Forum.

If you choose to clean your computer, please proceed with the following instructions:

------------------------------------------------------

Your hard drive is almost full.

Quote:
System Drive C: has 2.6 GiB (less than 15%) free.
C: is Fixed (NTFS) - 74.52 GiB total, 2.6 GiB free.
Having too little free space on your hard drive can compromise system performance. I suggest you uninstall unused or little used applications and move pictures, music, etc. to an external drive or USB stick if you have one.

------------------------------------------------------

I see you have P2P software ( BitDownload and Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you decide to uninstall them, also delete these Folders if they still exist:

C:\Documents and Settings\User\Application Data\LimeWire
C:\Program Files\LimeWire
C:\Program Files\BitDownload

------------------------------------------------------

Please uninstall the following via the Add or Remove Programs Panel (Start->(or My Computer)->Control Panel->Add or Remove Programs) if they exist:

Browser Optimizer Dcads<<Please read here
Browser Optimizer Superiorads<<Please read here

------------------------------------------------------

Please download SDFix and Save it to your Desktop.
  • Double-click SDFix.exe
  • Click Run
  • Click Install to extract the files to the Windows Directory drive, typically C:\SDFix

Please reboot your computer in Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key. In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode and press Enter.
  • Login on your usual account. Make sure to close any open browsers.
  • Open the extracted SDFix folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the C:\SDFix folder as Report.txt
  • Post that log in your next reply.
------------------------------------------------------

Please visit this webpage for instructions on downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.



Please continue as follows:
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system.

------------------------------------------------------

Please download HijackThis and Save it to your Desktop.

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double-click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Please post the HijackThis log in your next reply. Do not fix anything in HijackThis since they may be harmless.

------------------------------------------------------

Please post the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-09-2008, 12:07 PM   #4 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hi, thanks for the help so far.

I will empty out my hardrive as soon as my pc is in a better state, don't want external to get infected in some way aswell.

I uninstalled bitdownload, and the other 2 programs you said I should.

I tried to run SDFix in SafeMode, but my pc freezes in safemode, after 30secs into running RunThis.bat. My system seems more stable in normal mode oddly, it struggles running in safemode?? If Avast detect a trojan horse, and I just leave the warning message, Avast doesn't detect others, not until I try to move/delete the trojan. Its sort off like a never ending detection.

So I couldn't generate a C:\SDFix report.txt

I did the ComboFix step 2, and installed Recovery Console.
I tried running SDfix, after that, but it still froze in safe mode again.
Here is the Combofix.txt, and hijackthis.log

ComboFix 08-05-08.1 - User 2008-05-09 19:27:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.624 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Fhc65.sys
C:\WINDOWS\system32\WinData.cab

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FHC65
-------\Service_Fhc65


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 19:15 . 2008-05-09 19:15 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-09 18:48 . 2008-05-09 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-09 18:48 . 2008-05-09 19:15 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-05-09 18:37 . 2008-05-09 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 17:58 . 2008-05-09 17:58 <DIR> d-------- C:\SDFix
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 21:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-08 21:05 . 2008-05-08 21:05 6,533 --a------ C:\WINDOWS\system32\ahst532.exe
2008-05-08 16:55 . 2008-05-08 17:23 143,360 --a------ C:\WINDOWS\system32\ahst469.exe
2008-05-08 16:25 . 2008-05-08 16:25 <DIR> d-------- C:\Deckard
2008-05-08 16:03 . 2008-05-08 16:03 <DIR> d-------- C:\Program Files\Panda Security
2008-05-07 21:41 . 2008-05-07 21:41 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-07 21:41 . 2008-05-07 21:41 228,669 --a------ C:\WINDOWS\system32\ahst550.exe
2008-05-07 21:41 . 2008-05-07 21:41 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-07 21:40 . 2008-05-07 21:40 58,368 --a------ C:\WINDOWS\system32\ahst427.exe
2008-05-07 20:54 . 2008-05-07 20:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 03:43 . 2008-05-06 03:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\WordWeb
2008-05-06 02:24 . 2008-05-06 02:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-05-06 02:24 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-05 23:56 . 2008-05-05 23:56 81,408 --a------ C:\WINDOWS\system32\ahst472.exe
2008-05-05 23:56 . 2008-05-05 23:56 29,136 --a------ C:\WINDOWS\system32\ahst595.exe
2008-05-05 23:56 . 2008-05-05 23:56 18,432 --a------ C:\WINDOWS\system32\w76b826.exe
2008-05-05 23:55 . 2008-05-05 23:55 10,752 --a------ C:\WINDOWS\system32\ahst534.exe
2008-05-05 23:54 . 2008-05-05 23:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 23:54 . 2008-05-05 23:54 11,776 --a------ C:\WINDOWS\system32\ahst563.exe
2008-05-05 23:54 . 2008-05-05 23:54 5,120 --a------ C:\WINDOWS\system32\ahst594.exe
2008-05-05 23:54 . 2008-05-05 23:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 23:47 . 2008-05-05 23:47 80,384 --a------ C:\WINDOWS\system32\ahst449.exe
2008-05-05 23:47 . 2008-05-05 23:47 3,117 --a------ C:\Documents and Settings\User\ie_updates3r.exe
2008-05-05 23:47 . 2008-05-08 21:05 520 --a------ C:\WINDOWS\system32\dbxdkp.tmp
2008-04-20 16:11 . 2008-04-20 16:14 <DIR> d-------- C:\Documents and Settings\User\Application Data\com.zipeg
2008-04-18 18:34 . 2008-04-18 18:34 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 19:21 --------- d-----w C:\Program Files\Poker Indicator
2008-05-07 00:17 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-03 17:25 --------- d-----w C:\Documents and Settings\User\Application Data\Microgaming
2008-05-03 00:11 --------- d-----w C:\Program Files\3piggspokerMPP
2008-05-01 13:51 --------- d-----w C:\Program Files\Winamp
2008-04-18 16:35 --------- d-----w C:\Program Files\Silver Sands Poker
2008-04-18 16:35 --------- d-----w C:\Program Files\PartyGaming
2008-04-01 18:36 --------- d-----w C:\Program Files\Graph
2006-06-13 08:26 284 ----a-w C:\Documents and Settings\User\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_19.26.16.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 17:21:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 17:30:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-09 17:04:43 57,972 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-09 17:26:13 58,292 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-09 17:04:43 391,878 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-09 17:26:13 392,516 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-09 17:30:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F6C11B4-1766-4033-90DA-ACBEFFA6BB65}]
2004-08-04 14:00 93696 --a------ C:\WINDOWS\system32\cryptsv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-16 03:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 15:07 7110656]
"NvMediaCenter"="NvMCTray.dll" [2005-07-20 15:07 86016 C:\WINDOWS\system32\nvmctray.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 12:59 212992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"nwiz"="nwiz.exe" [2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"libor"="C:\WINDOWS\libor.exe" [ ]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-09-23 04:45:53 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-03 17:35:24 113664]






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55, on 2008-05-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\User\ie_updates3r.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F6C11B4-1766-4033-90DA-ACBEFFA6BB65} - C:\WINDOWS\system32\cryptsv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 3 Piggs Poker - {4835CF45-71B5-4c6c-BBE0-350DCD75D237} - C:\Program Files\3piggspokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Silver Sands Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210255876101
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8DD6A5-B7DD-4766-A0A2-2BC6448DEBB6}: NameServer = 196.207.32.83 196.207.32.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\User\ie_updates3r.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\system32\ircomm2k.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9001 bytes
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-09-2008, 12:27 PM   #5 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Don't know if this might be of any use. But if I do restart my computer in safe mode. It freezes after about 1/2 mins of being in safe mode. Like i said, my computer is more functioning in normal mode, with the avast on -access turned on, aswell as windows firewall, and spybot search and destroy, then it doesn't seem to freeze.
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-09-2008, 07:12 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello skylinker.

It appears that you ran ComboFix twice and posted the log after the second run. Not only that, but it appears you didn't post the entire log--the bottom part is missing.

I need to see the log after the first run.

It should be located at C:\Qoobox\ComboFix2.txt

I also need to see the entire log after the second run.

It should be located at C:\ComboFix.txt.

Please post both logs in their entirety here for review.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-10-2008, 05:29 AM   #7 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
1st Run of Combofix: C:\Qoobox\ComboFix2.txt

ComboFix 08-05-08.1 - User 2008-05-09 19:16:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.649 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoex.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\NetworkService\Application Data\install.dat
C:\Program Files\bravesentry
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry1.bs
C:\WINDOWS\gogora.config
C:\WINDOWS\Help\oqtxde.chm
C:\WINDOWS\libor.exe
C:\WINDOWS\mrofinu27.exe.tmp
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\config\46515228.Evt
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\maxpaynowti1.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\WinData.cab
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\win32ole.dll
C:\windows\xpupdate.exe
C:\WINDOWS\system32\WinData.cab . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
hxxp://onlinesafepro.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Service_asc3550p
-------\Service_oqtxde


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 19:21 . 2008-05-09 19:21 0 --a------ C:\WINDOWS\system32\WinData.cab
2008-05-09 19:15 . 2008-05-09 19:15 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-09 18:48 . 2008-05-09 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-09 18:48 . 2008-05-09 19:15 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-05-09 18:37 . 2008-05-09 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 17:58 . 2008-05-09 17:58 <DIR> d-------- C:\SDFix
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 21:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-08 21:05 . 2008-05-08 21:05 6,533 --a------ C:\WINDOWS\system32\ahst532.exe
2008-05-08 16:55 . 2008-05-08 17:23 143,360 --a------ C:\WINDOWS\system32\ahst469.exe
2008-05-08 16:25 . 2008-05-08 16:25 <DIR> d-------- C:\Deckard
2008-05-08 16:03 . 2008-05-08 16:03 <DIR> d-------- C:\Program Files\Panda Security
2008-05-07 21:41 . 2008-05-07 21:41 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-07 21:41 . 2008-05-07 21:41 228,669 --a------ C:\WINDOWS\system32\ahst550.exe
2008-05-07 21:41 . 2008-05-07 21:41 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-07 21:40 . 2008-05-07 21:40 58,368 --a------ C:\WINDOWS\system32\ahst427.exe
2008-05-07 20:54 . 2008-05-07 20:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 03:43 . 2008-05-06 03:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\WordWeb
2008-05-06 02:24 . 2008-05-06 02:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-05-06 02:24 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-05 23:56 . 2008-05-05 23:56 81,408 --a------ C:\WINDOWS\system32\ahst472.exe
2008-05-05 23:56 . 2008-05-05 23:56 29,136 --a------ C:\WINDOWS\system32\ahst595.exe
2008-05-05 23:56 . 2008-05-05 23:56 18,432 --a------ C:\WINDOWS\system32\w76b826.exe
2008-05-05 23:55 . 2008-05-05 23:55 14,976 --a------ C:\WINDOWS\system32\drivers\Fhc65.sys
2008-05-05 23:55 . 2008-05-05 23:55 10,752 --a------ C:\WINDOWS\system32\ahst534.exe
2008-05-05 23:54 . 2008-05-05 23:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 23:54 . 2008-05-05 23:54 11,776 --a------ C:\WINDOWS\system32\ahst563.exe
2008-05-05 23:54 . 2008-05-05 23:54 5,120 --a------ C:\WINDOWS\system32\ahst594.exe
2008-05-05 23:54 . 2008-05-05 23:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 23:47 . 2008-05-05 23:47 80,384 --a------ C:\WINDOWS\system32\ahst449.exe
2008-05-05 23:47 . 2008-05-05 23:47 3,117 --a------ C:\Documents and Settings\User\ie_updates3r.exe
2008-05-05 23:47 . 2008-05-08 21:05 520 --a------ C:\WINDOWS\system32\dbxdkp.tmp
2008-04-20 16:11 . 2008-04-20 16:14 <DIR> d-------- C:\Documents and Settings\User\Application Data\com.zipeg
2008-04-18 18:34 . 2008-04-18 18:34 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 19:21 --------- d-----w C:\Program Files\Poker Indicator
2008-05-07 00:17 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-03 17:25 --------- d-----w C:\Documents and Settings\User\Application Data\Microgaming
2008-05-03 00:11 --------- d-----w C:\Program Files\3piggspokerMPP
2008-05-01 13:51 --------- d-----w C:\Program Files\Winamp
2008-04-18 16:35 --------- d-----w C:\Program Files\Silver Sands Poker
2008-04-18 16:35 --------- d-----w C:\Program Files\PartyGaming
2008-04-01 18:36 --------- d-----w C:\Program Files\Graph
2006-06-13 08:26 284 ----a-w C:\Documents and Settings\User\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F6C11B4-1766-4033-90DA-ACBEFFA6BB65}]
2004-08-04 14:00 93696 --a------ C:\WINDOWS\system32\cryptsv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-16 03:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 15:07 7110656]
"NvMediaCenter"="NvMCTray.dll" [2005-07-20 15:07 86016 C:\WINDOWS\system32\nvmctray.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 12:59 212992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"nwiz"="nwiz.exe" [2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"libor"="C:\WINDOWS\libor.exe" [ ]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-09-23 04:45:53 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-03 17:35:24 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fhc65.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lnj53.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 08:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-10-11 18:25 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Wj\Personal Details\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-21 12:59 212992 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
--a------ 2007-09-24 18:47 512004 C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\system32\spads.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouRipper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BroadWaveService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Fhc65;Fhc65;C:\WINDOWS\system32\Drivers\Fhc65.sys [2008-05-05 23:55]
R0 PSeries;PSeries;C:\WINDOWS\system32\drivers\pseries.sys [2006-06-22 16:18]
R0 SI3112r;ATI-437A Serial ATA Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-06-01 17:40]
R0 yimebauz;yimebauz;C:\WINDOWS\system32\drivers\xdchxqio.dat []
R2 Google Online Services;Google Online Services;C:\Documents and Settings\User\ie_updates3r.exe [2008-05-05 23:47]
R2 IrCOMM2kSvc;Virtual IR COM Port, Service Program;C:\WINDOWS\system32\ircomm2k.exe [2006-01-11 11:58]
R3 IrCOMM2k;Virtual IR COM Port;C:\WINDOWS\system32\DRIVERS\ircomm2k.sys [2006-01-11 11:58]
S0 Lnj53;Lnj53;C:\WINDOWS\system32\Drivers\Lnj53.sys []
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2006-03-28 14:48]
S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;C:\WINDOWS\system32\DRIVERS\ewusbapp.sys [2006-03-28 14:48]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;C:\WINDOWS\system32\DRIVERS\ewusbser.sys [2006-03-28 14:48]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26]
S3 spfhlp.sys;spfhlp.sys;C:\WINDOWS\system32\spfhlp.sys []
S3 stusb2ir;USB 2.0 IrDA Bridge;C:\WINDOWS\system32\DRIVERS\stusb2ir.sys [2004-09-08 04:41]
S3 TSClient;Tatara Protocol Driver;C:\WINDOWS\system32\drivers\tsclient.sys [2005-12-01 09:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73ec366a-077e-11dc-9cdf-d3503c328cf9}]
\Shell\Auto\command - OSO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 17:24:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-15 01:43:35 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 19:21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\yimebauz]
"ImagePath"="system32\drivers\xdchxqio.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-05-09 19:26:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 17:26:32

Pre-Run: 2,624,999,424 bytes free
Post-Run: 2,530,820,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

250






Second Run of Combofix: C:\ComboFix\Combofix.txt

ComboFix 08-05-08.1 - User 2008-05-09 19:27:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.624 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Fhc65.sys
C:\WINDOWS\system32\WinData.cab

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FHC65
-------\Service_Fhc65


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 19:15 . 2008-05-09 19:15 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-09 18:48 . 2008-05-09 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-09 18:48 . 2008-05-09 19:15 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-05-09 18:37 . 2008-05-09 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 17:58 . 2008-05-09 17:58 <DIR> d-------- C:\SDFix
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 21:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-08 21:05 . 2008-05-08 21:05 6,533 --a------ C:\WINDOWS\system32\ahst532.exe
2008-05-08 16:55 . 2008-05-08 17:23 143,360 --a------ C:\WINDOWS\system32\ahst469.exe
2008-05-08 16:25 . 2008-05-08 16:25 <DIR> d-------- C:\Deckard
2008-05-08 16:03 . 2008-05-08 16:03 <DIR> d-------- C:\Program Files\Panda Security
2008-05-07 21:41 . 2008-05-07 21:41 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-07 21:41 . 2008-05-07 21:41 228,669 --a------ C:\WINDOWS\system32\ahst550.exe
2008-05-07 21:41 . 2008-05-07 21:41 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-07 21:40 . 2008-05-07 21:40 58,368 --a------ C:\WINDOWS\system32\ahst427.exe
2008-05-07 20:54 . 2008-05-07 20:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 03:43 . 2008-05-06 03:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\WordWeb
2008-05-06 02:24 . 2008-05-06 02:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-05-06 02:24 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-05 23:56 . 2008-05-05 23:56 81,408 --a------ C:\WINDOWS\system32\ahst472.exe
2008-05-05 23:56 . 2008-05-05 23:56 29,136 --a------ C:\WINDOWS\system32\ahst595.exe
2008-05-05 23:56 . 2008-05-05 23:56 18,432 --a------ C:\WINDOWS\system32\w76b826.exe
2008-05-05 23:55 . 2008-05-05 23:55 10,752 --a------ C:\WINDOWS\system32\ahst534.exe
2008-05-05 23:54 . 2008-05-05 23:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 23:54 . 2008-05-05 23:54 11,776 --a------ C:\WINDOWS\system32\ahst563.exe
2008-05-05 23:54 . 2008-05-05 23:54 5,120 --a------ C:\WINDOWS\system32\ahst594.exe
2008-05-05 23:54 . 2008-05-05 23:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 23:47 . 2008-05-05 23:47 80,384 --a------ C:\WINDOWS\system32\ahst449.exe
2008-05-05 23:47 . 2008-05-05 23:47 3,117 --a------ C:\Documents and Settings\User\ie_updates3r.exe
2008-05-05 23:47 . 2008-05-08 21:05 520 --a------ C:\WINDOWS\system32\dbxdkp.tmp
2008-04-20 16:11 . 2008-04-20 16:14 <DIR> d-------- C:\Documents and Settings\User\Application Data\com.zipeg
2008-04-18 18:34 . 2008-04-18 18:34 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 19:21 --------- d-----w C:\Program Files\Poker Indicator
2008-05-07 00:17 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-03 17:25 --------- d-----w C:\Documents and Settings\User\Application Data\Microgaming
2008-05-03 00:11 --------- d-----w C:\Program Files\3piggspokerMPP
2008-05-01 13:51 --------- d-----w C:\Program Files\Winamp
2008-04-18 16:35 --------- d-----w C:\Program Files\Silver Sands Poker
2008-04-18 16:35 --------- d-----w C:\Program Files\PartyGaming
2008-04-01 18:36 --------- d-----w C:\Program Files\Graph
2006-06-13 08:26 284 ----a-w C:\Documents and Settings\User\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_19.26.16.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 17:21:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 17:30:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-09 17:04:43 57,972 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-09 17:26:13 58,292 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-09 17:04:43 391,878 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-09 17:26:13 392,516 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-09 17:30:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F6C11B4-1766-4033-90DA-ACBEFFA6BB65}]
2004-08-04 14:00 93696 --a------ C:\WINDOWS\system32\cryptsv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-16 03:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 15:07 7110656]
"NvMediaCenter"="NvMCTray.dll" [2005-07-20 15:07 86016 C:\WINDOWS\system32\nvmctray.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 12:59 212992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"nwiz"="nwiz.exe" [2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"libor"="C:\WINDOWS\libor.exe" [ ]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-09-23 04:45:53 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-03 17:35:24 113664]

That's all that is in the txt file, maybe it didn't complete, im not sure. Just say if I shud do anything else. Not going to run anything else/ or do anything else, unless told so.

Thanks, looks like my pc badly infected.
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-11-2008, 11:04 AM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello again, skylinker.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please be patient. Do not interupt the tools while they are working or use other applications while the tools are running.

------------------------------------------------------

Close any open browsers.

Please disable your antivirus and all antispyware applications usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. Get help here

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O16 - DPF: {33331111-1111-1111-1111-611111193423} () -
O16 - DPF: {33331111-1111-1111-1111-615111193427} () -

Please remember to close all other windows, including browsers then click Fix checked.

Please close HijackThis now.

------------------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:

Quote:
KillAll::

File::
C:\WINDOWS\system32\ahst532.exe
C:\WINDOWS\system32\ahst469.exe
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\ahst550.exe
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ahst427.exe
C:\WINDOWS\system32\ahst472.exe
C:\WINDOWS\system32\ahst595.exe
C:\WINDOWS\system32\w76b826.exe
C:\WINDOWS\system32\ahst534.exe
C:\WINDOWS\system32\ahst563.exe
C:\WINDOWS\system32\ahst594.exe
C:\WINDOWS\system32\ahst449.exe
C:\Documents and Settings\User\ie_updates3r.exe
C:\WINDOWS\system32\dbxdkp.tmp
C:\WINDOWS\system32\cryptsv.dll

Rootkit::
C:\WINDOWS\system32\drivers\xdchxqio.dat
C:\WINDOWS\system32\Drivers\Lnj53.sys
C:\WINDOWS\system32\spfhlp.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F6C11B4-1766-4033-90DA-ACBEFFA6BB65}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"libor"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fhc65.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lnj53.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouRipper]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73ec366a-077e-11dc-9cdf-d3503c328cf9}]

Driver::
yimebauz
Google Online Services
Lnj53
spfhlp.sys
Save this as CFScript.txt, in the same location as ComboFix.exe





Referring to the picture above, drag CFScript into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply. Make sure you copy(Ctrl + A, Ctrl + C) and paste(Ctrl + P) the entire ComboFix log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Please ensure your antivirus and antispyware programs are re-enabled. A reboot should have done this.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-12-2008, 04:00 AM   #9 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hi Chemist
I must say this time around all the steps went without any interuptions or freezes, I could pretty much do everything that needed to be done for now, smoothly, thanks.

Here are the requested reports:
C:\ComboFix.txt

ComboFix 08-05-08.1 - User 2008-05-12 11:42:54.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\User\ie_updates3r.exe
C:\WINDOWS\system32\ahst427.exe
C:\WINDOWS\system32\ahst449.exe
C:\WINDOWS\system32\ahst469.exe
C:\WINDOWS\system32\ahst472.exe
C:\WINDOWS\system32\ahst532.exe
C:\WINDOWS\system32\ahst534.exe
C:\WINDOWS\system32\ahst550.exe
C:\WINDOWS\system32\ahst563.exe
C:\WINDOWS\system32\ahst594.exe
C:\WINDOWS\system32\ahst595.exe
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\cryptsv.dll
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\dbxdkp.tmp
C:\WINDOWS\system32\w76b826.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoex.dll
C:\Documents and Settings\User\Application Data\install.dat
C:\Documents and Settings\User\ie_updates3r.exe
C:\WINDOWS\Help\oqtxde.chm
C:\WINDOWS\system32\ahst427.exe
C:\WINDOWS\system32\ahst449.exe
C:\WINDOWS\system32\ahst472.exe
C:\WINDOWS\system32\ahst532.exe
C:\WINDOWS\system32\ahst534.exe
C:\WINDOWS\system32\ahst550.exe
C:\WINDOWS\system32\ahst563.exe
C:\WINDOWS\system32\ahst594.exe
C:\WINDOWS\system32\ahst595.exe
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\WINDOWS\system32\cryptsv.dll
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\dbxdkp.tmp
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\ADH42.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\Drivers\Lnj53.sys
C:\WINDOWS\system32\drivers\Nih42.sys
C:\WINDOWS\system32\drivers\xdchxqio.dat
C:\WINDOWS\system32\maxpaynowti1.exe
C:\WINDOWS\system32\spfhlp.sys
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\w76b826.exe
C:\WINDOWS\system32\win_0g.dll
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\xpupdate.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\Fhc65.sys
C:\WINDOWS\system32\WinData.cab

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FHC65
-------\Service_Fhc65
-------\Legacy_ADH42
-------\Legacy_GOOGLE_ONLINE_SERVICES
-------\Legacy_LNJ53
-------\Legacy_NIH42
-------\Legacy_SPFHLP.SYS
-------\Legacy_YIMEBAUZ
-------\Service_Adh42
-------\Service_ADH42
-------\Service_Google Online Services
-------\Service_Lnj53
-------\Service_Nih42
-------\Service_oqtxde
-------\Service_spfhlp.sys
-------\Service_yimebauz


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-09 20:12 . 2008-05-09 20:12 29 --a------ C:\WINDOWS\system32\sigowfte.tmp
2008-05-09 20:01 . 2008-05-09 20:10 233,984 --a------ C:\WINDOWS\system32\ahst592.exe
2008-05-09 20:01 . 2008-05-09 20:00 18,944 -r-h----- C:\WINDOWS\system32\syst7.exe
2008-05-09 19:15 . 2008-05-09 19:15 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-09 18:48 . 2008-05-09 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-09 18:48 . 2008-05-09 19:15 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-05-09 18:37 . 2008-05-09 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 17:58 . 2008-05-09 17:58 <DIR> d-------- C:\SDFix
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 21:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-08 16:25 . 2008-05-08 16:25 <DIR> d-------- C:\Deckard
2008-05-08 16:03 . 2008-05-08 16:03 <DIR> d-------- C:\Program Files\Panda Security
2008-05-07 20:54 . 2008-05-07 20:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 03:43 . 2008-05-06 03:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\WordWeb
2008-05-06 02:24 . 2008-05-06 02:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-05-06 02:24 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-05 23:54 . 2008-05-05 23:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 23:54 . 2008-05-05 23:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 16:11 . 2008-04-20 16:14 <DIR> d-------- C:\Documents and Settings\User\Application Data\com.zipeg
2008-04-18 18:34 . 2008-04-18 18:34 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 21:31 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-08 19:21 --------- d-----w C:\Program Files\Poker Indicator
2008-05-03 17:25 --------- d-----w C:\Documents and Settings\User\Application Data\Microgaming
2008-05-03 00:11 --------- d-----w C:\Program Files\3piggspokerMPP
2008-05-01 13:51 --------- d-----w C:\Program Files\Winamp
2008-04-18 16:35 --------- d-----w C:\Program Files\Silver Sands Poker
2008-04-18 16:35 --------- d-----w C:\Program Files\PartyGaming
2008-04-01 18:36 --------- d-----w C:\Program Files\Graph
2006-06-13 08:26 284 ----a-w C:\Documents and Settings\User\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_19.26.16.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 17:21:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 09:47:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-09 16:51:13 368,640 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-09 17:41:53 8,089,600 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-05-09 17:04:43 57,972 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-12 09:27:26 60,212 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-09 17:04:43 391,878 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-12 09:27:26 396,344 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-12 09:47:21 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-16 03:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 15:07 7110656]
"NvMediaCenter"="NvMCTray.dll" [2005-07-20 15:07 86016 C:\WINDOWS\system32\nvmctray.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 12:59 212992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"nwiz"="nwiz.exe" [2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-09-23 04:45:53 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-03 17:35:24 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 08:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-10-11 18:25 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Wj\Personal Details\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-21 12:59 212992 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
--a------ 2007-09-24 18:47 512004 C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BroadWaveService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 PSeries;PSeries;C:\WINDOWS\system32\drivers\pseries.sys [2006-06-22 16:18]
R0 SI3112r;ATI-437A Serial ATA Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-06-01 17:40]
R2 IrCOMM2kSvc;Virtual IR COM Port, Service Program;C:\WINDOWS\system32\ircomm2k.exe [2006-01-11 11:58]
R3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2006-03-28 14:48]
R3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;C:\WINDOWS\system32\DRIVERS\ewusbapp.sys [2006-03-28 14:48]
R3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;C:\WINDOWS\system32\DRIVERS\ewusbser.sys [2006-03-28 14:48]
R3 IrCOMM2k;Virtual IR COM Port;C:\WINDOWS\system32\DRIVERS\ircomm2k.sys [2006-01-11 11:58]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26]
S3 stusb2ir;USB 2.0 IrDA Bridge;C:\WINDOWS\system32\DRIVERS\stusb2ir.sys [2004-09-08 04:41]
S3 TSClient;Tatara Protocol Driver;C:\WINDOWS\system32\drivers\tsclient.sys [2005-12-01 09:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 09:50:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-15 01:43:35 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 11:47:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-05-12 11:52:37 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-05-12 09:52:33
ComboFix2.txt 2008-05-09 17:26:37

Pre-Run: 2,510,712,832 bytes free
Post-Run: 2,500,759,552 bytes free

258


new HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:47 AM, on 2008/05/12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 3 Piggs Poker - {4835CF45-71B5-4c6c-BBE0-350DCD75D237} - C:\Program Files\3piggspokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Silver Sands Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210255876101
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8DD6A5-B7DD-4766-A0A2-2BC6448DEBB6}: NameServer = 196.207.32.83 196.207.32.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\system32\ircomm2k.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8063 bytes


Might I also add, that for the first time this week, Avast didn't pick up any malware, at the startup. Thanks so far
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-12-2008, 01:45 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello again, skylinker. Please tell us how your system is behaving.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
File::
C:\WINDOWS\system32\sigowfte.tmp
C:\WINDOWS\system32\ahst592.exe
C:\WINDOWS\system32\syst7.exe
C:\WINDOWS\Tasks\XoftSpy.job

Folder::
C:\Program Files\XoftSpy
Save this as CFScript.txt, in the same location as ComboFix.exe





Referring to the picture above, drag CFScript into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 6 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click Continue
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs
  • Click (highlight) the following items:
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel and double-click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT.
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
    We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Most(if not all) infections have been quarantined.
  • Click the Save Report as... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
Kaspersky report
new HijackThis log
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-12-2008, 06:54 PM   #11 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hi and thanks so far for the help Chemist.

I ran combofix without any flaws, I have posted the text file log.
I also updated my Java as you have instructed.

--------------------------------------------------------------------------
However I couldn't complete the Kaspersky report, My system froze twice at the same spot, 66% into the scan, I ran both scans with antivirus and antispyware programs turned off, and no open or unneccessary programs running.

I took note of the frozen screen, and this is the point where it froze twice:

Scanned Objects: 35844
Number of Viruses found: 9
Infected Objects: 15
No of Suspicious Files: 0
Duration of scan progress: 19:35

It froze both times at that same time, and whilst busy scanning the following file:

C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\PV561404.CAB

----------------------------------------------------------------------
Then Also Running a system scan with Hijackthis, I also got the following reported error, which I have responded to, by clicking Yes at the prompt.

"An unexpected error has occured at procedure: modRegistry_IniGetString(sFile = system.ini, sSection =boot , sValue = Shell)
Error #5: Invalid procedure or argument

I have posted the hijackthis.log aswell, the logs follow:

---------------------------------------------------------------------------
C:\ComboFix.txt

ComboFix 08-05-08.1 - User 2008-05-13 0:56:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.728 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ahst592.exe
C:\WINDOWS\system32\sigowfte.tmp
C:\WINDOWS\system32\syst7.exe
C:\WINDOWS\Tasks\XoftSpy.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ahst592.exe
C:\WINDOWS\system32\sigowfte.tmp
C:\WINDOWS\system32\syst7.exe
C:\WINDOWS\Tasks\XoftSpy.job

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-09 19:15 . 2008-05-09 19:15 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-09 18:48 . 2008-05-09 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-09 18:48 . 2008-05-09 19:15 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-05-09 18:37 . 2008-05-09 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 17:58 . 2008-05-09 17:58 <DIR> d-------- C:\SDFix
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-08 21:23 . 2008-05-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 21:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-08 16:25 . 2008-05-08 16:25 <DIR> d-------- C:\Deckard
2008-05-08 16:03 . 2008-05-08 16:03 <DIR> d-------- C:\Program Files\Panda Security
2008-05-07 20:54 . 2008-05-07 20:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 03:43 . 2008-05-06 03:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\WordWeb
2008-05-06 02:24 . 2008-05-06 02:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2008-05-06 02:24 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-05 23:54 . 2008-05-05 23:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 23:54 . 2008-05-05 23:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 16:11 . 2008-04-20 16:14 <DIR> d-------- C:\Documents and Settings\User\Application Data\com.zipeg
2008-04-18 18:34 . 2008-04-18 18:34 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 21:31 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-08 19:21 --------- d-----w C:\Program Files\Poker Indicator
2008-05-03 17:25 --------- d-----w C:\Documents and Settings\User\Application Data\Microgaming
2008-05-03 00:11 --------- d-----w C:\Program Files\3piggspokerMPP
2008-05-01 13:51 --------- d-----w C:\Program Files\Winamp
2008-04-18 16:35 --------- d-----w C:\Program Files\Silver Sands Poker
2008-04-18 16:35 --------- d-----w C:\Program Files\PartyGaming
2008-04-01 18:36 --------- d-----w C:\Program Files\Graph
2006-06-13 08:26 284 ----a-w C:\Documents and Settings\User\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_19.26.16.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 17:21:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 22:45:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-09 16:51:13 368,640 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-09 17:41:53 8,089,600 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-05-09 17:04:43 57,972 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-12 22:50:35 61,812 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-09 17:04:43 391,878 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-12 22:50:35 399,534 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-16 03:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 15:07 7110656]
"NvMediaCenter"="NvMCTray.dll" [2005-07-20 15:07 86016 C:\WINDOWS\system32\nvmctray.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 06:00 157184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-21 12:59 212992]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"nwiz"="nwiz.exe" [2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-09-23 04:45:53 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-03 17:35:24 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 08:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-10-11 18:25 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-20 15:07 1576960 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Wj\Personal Details\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-21 12:59 212992 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
--a------ 2007-09-24 18:47 512004 C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BroadWaveService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 PSeries;PSeries;C:\WINDOWS\system32\drivers\pseries.sys [2006-06-22 16:18]
R0 SI3112r;ATI-437A Serial ATA Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-06-01 17:40]
R2 IrCOMM2kSvc;Virtual IR COM Port, Service Program;C:\WINDOWS\system32\ircomm2k.exe [2006-01-11 11:58]
R3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2006-03-28 14:48]
R3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;C:\WINDOWS\system32\DRIVERS\ewusbapp.sys [2006-03-28 14:48]
R3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;C:\WINDOWS\system32\DRIVERS\ewusbser.sys [2006-03-28 14:48]
R3 IrCOMM2k;Virtual IR COM Port;C:\WINDOWS\system32\DRIVERS\ircomm2k.sys [2006-01-11 11:58]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26]
S3 stusb2ir;USB 2.0 IrDA Bridge;C:\WINDOWS\system32\DRIVERS\stusb2ir.sys [2004-09-08 04:41]
S3 TSClient;Tatara Protocol Driver;C:\WINDOWS\system32\drivers\tsclient.sys [2005-12-01 09:20]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 22:58:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 00:58:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 1:01:43
ComboFix-quarantined-files.txt 2008-05-12 23:01:41
ComboFix2.txt 2008-05-12 09:52:37
ComboFix3.txt 2008-05-09 17:26:37

Pre-Run: 2,481,283,072 bytes free
Post-Run: 2,471,399,424 bytes free

166
----------------------------------------------------------------
Kaspersky report
See Above, couldn't complete.
----------------------------------------------------------------
new HijackThis log (Note, reported an error whilst running)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:36:23 AM, on 2008/05/13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: 3 Piggs Poker - {4835CF45-71B5-4c6c-BBE0-350DCD75D237} - C:\Program Files\3piggspokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Silver Sands Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210255876101
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8DD6A5-B7DD-4766-A0A2-2BC6448DEBB6}: NameServer = 196.207.32.83 196.207.32.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\system32\ircomm2k.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8116 bytes

-------------------------------------------------------------------------------

report on system behavior

Except for the freezes, it seems alright. I havn't ran other spyware, or other virus scans at all. Before I had any help, the system always froze trying to run scans, in spybot and avg. I havn't done much on the infected computer, mostly work from laptop last week. Also I havn't tried running the Pc in safemode to see if it freezes there. Don't know why I can't complete the Kaspersky scan, and not sure if this would be the same case for other scans.

Thanks.
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-12-2008, 08:24 PM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello skylinker.

Quote:
Except for the freezes, it seems alright. I havn't ran other spyware, or other virus scans at all.
Does this mean you are having freezes without doing anything? Freezes aren't necessarily caused by malware. You may have other issues.

Quote:
Before I had any help, the system always froze trying to run scans, in spybot and avg. Also I havn't tried running the Pc in safemode to see if it freezes there.
Try running Spybot and/or try safe mode and see if it freezes. Report back with an update on system behavior.

Let's try another online scanner:

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install.
  • Close/disable all running programs, including your antivirus and all antispyware programs.
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked.
  • Click Scan
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-13-2008, 11:40 AM   #13 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello

My computer doesn't freeze in Normal Startup if I let it idle. It did however freeze when I ran a Spybot scan. It froze whilst scanning Vario.AntiVirus.

My computer has difficulty starting in safemode, and when it is logged on in SafeMode, without me touching or pressing anything it freezes after about 20 seconds.

As for the online ESET scan, it nearly made it to the end, id say it scanned about 80%, but froze after 23mins. With the consequence of me finding no log file at C:\Program Files\EsetOnlineScanner\log.txt
Before it froze it picked up 9 possible threaths but I don't know what they are.

HijackThis log (no error message this time)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:36:14 PM, on 2008/05/13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: 3 Piggs Poker - {4835CF45-71B5-4c6c-BBE0-350DCD75D237} - C:\Program Files\3piggspokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Silver Sands Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210255876101
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8DD6A5-B7DD-4766-A0A2-2BC6448DEBB6}: NameServer = 196.207.32.83 196.207.32.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\system32\ircomm2k.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8083 bytes


If my system freezes aren't due to malware, but other problems. Are you able to help me, or redirect me to a thread/section that will be able to address this problem?
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-13-2008, 06:54 PM   #14 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello skylinker. Sorry you are having trouble.

Quote:
Before it froze it picked up 9 possible threaths but I don't know what they are.
Don't be alarmed by reports of infections in an online scan. Most(if not all) infections are likely quarantined in old System Restore Points and/or ComboFix's quarantine folder which we will take care of later.

Quote:
If my system freezes aren't due to malware, but other problems. Are you able to help me, or redirect me to a thread/section that will be able to address this problem?
Absolutely. However, we would like to be sure you are clear of malware before we send you to another forum.

Are you absolutely sure you closed all running programs, including word processors(e.g. Microsoft Office, etc.), your antivirus program, and all antispyware programs before running the scans?

Let's try one more thing:
  • Please download Dr.Web CureIt and Save it to your Desktop:
  • Double-click the cureit.exe file and click Run
  • Click OK to the prompt to run the express scan.
  • This will scan the files currently running in memory and when/if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, click Complete scan
  • Click Options >> Change settings
  • Click Actions
  • Change all drop-down boxes to Report
  • Click Apply and then click OK
  • Please be sure to close all running programs and do not use the computer at all while it's scanning. Start the scan and walk away.
  • Click the green arrow at the right, and the scan will start.
  • Click No to All if it asks if you want to cure/move the file.
  • When the scan has finished, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web CureIt
  • Post the contents of the log from Dr.Web you saved previously in your next reply.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-15-2008, 01:40 AM   #15 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hi Chemist

Yes I am sure I disable all microsoft office programs, antispywaye, anti virus etc.

I downloaded Dr Web Cureit, but my system also froze halfway through a scan. I havn't completed a scan since the start of the infection, about 2 weeks ago.

Thanks.
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-15-2008, 10:09 AM   #16 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello again, skylinker.

We will attempt to delete the local installation source of your Microsoft Office 2003 as it is possible that the freezes during scans are caused by it.

Note: If you have more than one partition on your hard disk, you may have to repeat these steps for each partition.

Warning: Never delete the MSOCACHE folder by using Microsoft Windows Explorer.

Follow these steps:

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Cleanup.
2. In the Select Drive dialog box, in the Drives list, click C:, and then click OK.

Note: If you have more than one hard disk, the Office setup files will be on the partition that had the most free space during Office Setup.

3. Wait for Disk Cleanup to finish checking the drive.
4. In the Files to Delete list, click to select the Office Setup Files check box, and then click OK.

Note: If the size of the Office Setup Files is zero, the Office Setup files are on another hard disk.

5. When you receive the following message, click Yes:

Quote:
Are you sure you want to delete these files?
Once that procedure is completed, try the Dr.Web CureIt scan again and see if you can complete a scan and post the log, DrWeb.csv in your next reply.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-16-2008, 04:47 AM   #17 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hi Chemist.

I Ran Disk Clean up. And then together with checking Office Setup Files, I also checked Compress old files.

I clicked OK, but as Disk Clean Up tried to compress old files. My system froze again.

I restarted again, and Ran Disk Clean Up, just checking Office Setup Files, and it deleted them successfully.

However I ran Dr.Web CureIt again. And my system couldn't complete the scan, as it froze halfway through the scan, with all anti spyware/virus turned off.

Sorry for all the freezes :(
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-16-2008, 07:58 AM   #18 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello again, skylinker.

Quote:
I havn't completed a scan since the start of the infection, about 2 weeks ago.

Before I had any help, the system always froze trying to run scans, in spybot and avg.
We are having trouble understanding if this always happened or just since the infection.

When were these anti-malware tools (Spybot S&D, AVG A-S, Windows Defender) installed?

Have you ever been able to complete a scan with these tools?

What about Windows Defender? Does that freeze as well?

Quote:
My computer has difficulty starting in safemode, and when it is logged on in SafeMode, without me touching or pressing anything it freezes after about 20 seconds.
Has this always been a problem, or has this only occurred since becoming infected?

It is possible you could still have traces of SmitFraud present on your system, which is known to mess up Safe Mode. Let's try this:
  • Please download SmitfraudFix (by S!Ri) to your Desktop.
  • Double-click smitfraudfix.exe to start the tool.
  • Select option #1 - Search by typing 1 and press Enter
  • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed.
  • Please copy/paste the contents of that report into your next reply.
IMPORTANT: Do NOT run option #2 OR any other option unless you are directed to do so!

------------------------------------------------------

Please post the following in your next reply:

C:\rapport.txt
answers to questions
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-16-2008, 05:15 PM   #19 (permalink)
Registered User
 
Join Date: May 2008
Posts: 15
OS: Windows XP, Version 2002, Service Pack 2


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello again.

I havn't been able to complete a scan, since the start of the infection,this hasn't always been the case.

I installed Spybot & AVG in November 2007, my trial period for AVG expired about 3months ago.

Before the infection, the only "protection" under my knowledge was that I had Avast and Spybot. I never had windows defender before the infection. When I got infected, I updated AVG/reinstalled, and tried to do a scan without success. I then also installed windows defender, without it making my infection better. I then resorted to the techforum for help.

I have always been able to complete scans with Spybot, and AVG in the trial period, I did so regurlarly aswell. But stopped doing this when more of my work were done on my laptop.

I ran a scan with Windows Defender today(16 May) and that didn't freeze my computer, did a complete system scan.

Only since the infection have I not been able to start in safe mode. It has never been a problem, before the infection.

Here is then the C:\rapport.txt SmitFraudFix

SmitFraudFix v2.320

Scan done at 1:10:54.02, 2008/05/17
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 196.207.32.83
DNS Server Search Order: 196.207.32.69

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2F8DD6A5-B7DD-4766-A0A2-2BC6448DEBB6}: NameServer=196.207.32.83 196.207.32.69
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2F8DD6A5-B7DD-4766-A0A2-2BC6448DEBB6}: NameServer=196.207.32.83 196.207.32.69
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AB0F817F-9B4C-42C6-9D11-D58C6852A3EF}: NameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
skylinker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-16-2008, 10:19 PM   #20 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,649
OS: XP SP3


Re: Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.
Hello skylinker. No malware or registry entry is showing that would prevent you from running in Safe Mode.

Does Windows fully load in Safe Mode?

At what point does it 'freeze'?

Do you click on anything that causes it to freeze, or is Safe Mode unresponsive to the keyboard or mouse?

Windows Defender scans the system just fine, so let's try this:

Uninstall both Spybot S&D and AVG via Programs and Features in your Control Panel.

Reboot your computer.

Then download, re-install, and update those programs. Try to scan again and let us know if it was successful.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:41 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85